Overview

overview

10

Static

static

Order Form.xlsx

windows7_x64

10

Order Form.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Order Form.xlsx

  • Size

    369KB

  • Sample

    211021-gr18naagcq

  • MD5

    4434e645d8eeb07c9bd8e01713b39c10

  • SHA1

    12d021e0f7897023be1f07b58f9d8c8912b5e78a

  • SHA256

    e9154b29bd87ce3234088a1a5f57531ec378daf59c7399fc054392a857219b22

  • SHA512

    d3cd47f0d99b0c20fd332f00f6f12ab985beadc9b8ec6bd4b722a6dc220ec67e01a521c3c6f576f9813901b1ccb632c61d5e5d8ab3a007a87144c1061b50a7bf

Score
10/10
xloaderht08loaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ht08

C2

http://www.septemberstockevent200.com/ht08/

Decoy

joye.club

istanbulemlakgalerisi.online

annikadaniel.love

oooci.com

curebase-test.com

swisstradecenter.com

hacticum.com

centercodebase.com

recbi56ni.com

mmj0115.xyz

sharpstead.com

sprklbeauty.com

progettogenesi.cloud

dolinum.com

amaroqadvisors.com

traininig.com

leewaysvcs.com

nashhomesearch.com

joy1263.com

serkanyamac.com

Targets

    • Target

      Order Form.xlsx

    • Size

      369KB

    • MD5

      4434e645d8eeb07c9bd8e01713b39c10

    • SHA1

      12d021e0f7897023be1f07b58f9d8c8912b5e78a

    • SHA256

      e9154b29bd87ce3234088a1a5f57531ec378daf59c7399fc054392a857219b22

    • SHA512

      d3cd47f0d99b0c20fd332f00f6f12ab985beadc9b8ec6bd4b722a6dc220ec67e01a521c3c6f576f9813901b1ccb632c61d5e5d8ab3a007a87144c1061b50a7bf

    Score
    10/10
    xloaderht08loaderpersistenceratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks