PROFORMA-PDA 00GGTBGX00001A.xlsx

General
Target

PROFORMA-PDA 00GGTBGX00001A.xlsx

Size

362KB

Sample

210924-phmmxahacp

Score
10 /10
MD5

3428e8b6d05df7add0dd9914432467a0

SHA1

89cd998b04e84731ebd9ec51c3d72ef40b15249e

SHA256

2a6b9eb5645b5e292c85eeb7236eb00361e74ece1e8debfb33873bc72461a67e

SHA512

54844961e87bda2d971c82a506365cf62cdb9918fe98d379101d984883eaf6014e1ab564de5edc6b38f90838895da89a0ec973b5c2a5094833e179646581cd2d

Malware Config

Extracted

Family xloader
Version 2.5
Campaign 9gdg
C2

http://www.dechocolate.online/9gdg/

Decoy

cao-catos.ca

humanityumbrella.com

heatherflintford.com

paddyjulian.com

venturedart.com

pimpyoursmile.com

shellbacklabs.com

acesteeisupply.com

socotrajeweltours.com

aykutozden.com

corncobmeal.com

lesbiansforever.com

picknock.com

pawspetreiki.com

waikikidesignco.com

lelittnpasumo4.xyz

billing-updating.info

barangdapo.com

gatorfirerescue.com

jmovt.com

yozotnpasumo4.xyz

theindiandreams.com

javfish.com

algorham.photography

eurocustompainting.com

commentcard.club

probinns.com

yourlenderjake.net

bestofmdi.guide

miniperfumeria.com

shanxishuangcheng.com

viviantle.com

metaverseliveshopping.com

xn--vckzfv91k.com

garygoodtime.com

meysaninsaat.com

vietnamagritourism.online

greenpillers.net

hughhegartyhedgecutting.com

clarkdn.com

b148t1rfm01qvtbnvgc5418.com

trump-911-memorial.com

seekr.tech

amarettoliqueur.info

planext4u.com

dzairfoot24.com

freshstartdaycarecenterinc.com

redwoodwomen.com

reallyfuntastic.com

cc-expert.com

Targets
Target

PROFORMA-PDA 00GGTBGX00001A.xlsx

MD5

3428e8b6d05df7add0dd9914432467a0

Filesize

362KB

Score
10 /10
SHA1

89cd998b04e84731ebd9ec51c3d72ef40b15249e

SHA256

2a6b9eb5645b5e292c85eeb7236eb00361e74ece1e8debfb33873bc72461a67e

SHA512

54844961e87bda2d971c82a506365cf62cdb9918fe98d379101d984883eaf6014e1ab564de5edc6b38f90838895da89a0ec973b5c2a5094833e179646581cd2d

Tags

Signatures

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

    Description

    suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

    Tags

  • Xloader Payload

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral1

                    10/10

                    behavioral2

                    1/10