General

  • Target

    PROFORMA-PDA 00GGTBGX00001A.xlsx

  • Size

    362KB

  • Sample

    210924-m59d3sgfhr

  • MD5

    3428e8b6d05df7add0dd9914432467a0

  • SHA1

    89cd998b04e84731ebd9ec51c3d72ef40b15249e

  • SHA256

    2a6b9eb5645b5e292c85eeb7236eb00361e74ece1e8debfb33873bc72461a67e

  • SHA512

    54844961e87bda2d971c82a506365cf62cdb9918fe98d379101d984883eaf6014e1ab564de5edc6b38f90838895da89a0ec973b5c2a5094833e179646581cd2d

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

9gdg

C2

http://www.dechocolate.online/9gdg/

Decoy

cao-catos.ca

humanityumbrella.com

heatherflintford.com

paddyjulian.com

venturedart.com

pimpyoursmile.com

shellbacklabs.com

acesteeisupply.com

socotrajeweltours.com

aykutozden.com

corncobmeal.com

lesbiansforever.com

picknock.com

pawspetreiki.com

waikikidesignco.com

lelittnpasumo4.xyz

billing-updating.info

barangdapo.com

gatorfirerescue.com

jmovt.com

Targets

    • Target

      PROFORMA-PDA 00GGTBGX00001A.xlsx

    • Size

      362KB

    • MD5

      3428e8b6d05df7add0dd9914432467a0

    • SHA1

      89cd998b04e84731ebd9ec51c3d72ef40b15249e

    • SHA256

      2a6b9eb5645b5e292c85eeb7236eb00361e74ece1e8debfb33873bc72461a67e

    • SHA512

      54844961e87bda2d971c82a506365cf62cdb9918fe98d379101d984883eaf6014e1ab564de5edc6b38f90838895da89a0ec973b5c2a5094833e179646581cd2d

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

      suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks