General

  • Target

    MOQ-Request_0927210-006452.xlsx

  • Size

    379KB

  • Sample

    210927-j4fhtsgafk

  • MD5

    154572bc1a3a7b1f732219dfce1d7985

  • SHA1

    c79ee1ba99792a20a85dd1b55ce813567d33109a

  • SHA256

    54bd4d38f3a15017ed0ceab138e8348d3ba97a6789920b50b5e93b5d0eec1ec9

  • SHA512

    b28d127f51723e417ebab1e2d72830beaa3be45908749cf91e07d6c92ae673fc116a0138df5cb81c4ed3050ec64b7a1d34632d5436e368f43b6ed77cef41ceec

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

m0np

C2

http://www.devmedicalcentre.com/m0np/

Decoy

gruppovimar.com

seniordatingtv.com

pinpinyouqian.website

retreatreflectreplenish.com

baby-handmade.store

econsupplies.com

helloaustinpodcast.com

europe-lodging.com

ferahanaokulu.com

thehomeinspo.com

rawhoneytnpasumo6.xyz

tyckasei.quest

scissorsandbuffer.com

jatinvestmentsmaldives.com

softandcute.store

afuturemakerspromotions.online

leonsigntech.com

havetheshortscovered.com

cvkf.email

iplyyu.com

Targets

    • Target

      MOQ-Request_0927210-006452.xlsx

    • Size

      379KB

    • MD5

      154572bc1a3a7b1f732219dfce1d7985

    • SHA1

      c79ee1ba99792a20a85dd1b55ce813567d33109a

    • SHA256

      54bd4d38f3a15017ed0ceab138e8348d3ba97a6789920b50b5e93b5d0eec1ec9

    • SHA512

      b28d127f51723e417ebab1e2d72830beaa3be45908749cf91e07d6c92ae673fc116a0138df5cb81c4ed3050ec64b7a1d34632d5436e368f43b6ed77cef41ceec

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

      suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks