General

  • Target

    09090.xlsx

  • Size

    269KB

  • Sample

    211011-pspv1shbgp

  • MD5

    6fde5f271c363c8c6958c79a97ba4208

  • SHA1

    7fc836aaf75422e4d8a4c62b3c5136d464e24f8f

  • SHA256

    033372113246279f04ccac1fab6748a2bfd2ed9b9c5cb980534f444dac558af8

  • SHA512

    8fbb97b4ed844864b8aba660496b34176967343bea968108568426e227a83c70ad2159bbc532c1ac3b6fa832bd54cc3e5bbede6abc4986101ca6f7f026b81b00

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b2c0

C2

http://www.thesewhitevvalls.com/b2c0/

Decoy

bjyxszd520.xyz

hsvfingerprinting.com

elliotpioneer.com

bf396.com

chinaopedia.com

6233v.com

shopeuphoricapparel.com

loccssol.store

truefictionpictures.com

playstarexch.com

peruviancoffee.store

shobhajoshi.com

philme.net

avito-rules.com

independencehomecenters.com

atp-cayenne.com

invetorsbank.com

sasanos.com

scentfreebnb.com

catfuid.com

Targets

    • Target

      09090.xlsx

    • Size

      269KB

    • MD5

      6fde5f271c363c8c6958c79a97ba4208

    • SHA1

      7fc836aaf75422e4d8a4c62b3c5136d464e24f8f

    • SHA256

      033372113246279f04ccac1fab6748a2bfd2ed9b9c5cb980534f444dac558af8

    • SHA512

      8fbb97b4ed844864b8aba660496b34176967343bea968108568426e227a83c70ad2159bbc532c1ac3b6fa832bd54cc3e5bbede6abc4986101ca6f7f026b81b00

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks