Overview

overview

10

Static

static

Purchase_o.....xlsx

windows7_x64

10

Purchase_o.....xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Purchase_order_21518..xlsx

  • Size

    369KB

  • Sample

    211021-wlbhdaaeh4

  • MD5

    ed8f6c80d452216334d567e436083218

  • SHA1

    920f2cf0d8c596bbeaa1b8c02fcf021b63b15e3e

  • SHA256

    29dd041104753d8f02fdab92cb502f4c263c8e22605bd5ddeb352b416cc9044d

  • SHA512

    993dfd924731f6b4eb5453a2e9483427dba79d70849b20678f9e8f68f09a7266714c07989687d78df6877266743bc244444fbf0d7ab848449273bf1b54023446

Score
10/10
xloadermwevloaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mwev

C2

http://www.scion-go-getter.com/mwev/

Decoy

9linefarms.com

meadow-spring.com

texascountrycharts.com

chinatowndeliver.com

grindsword.com

thegurusigavebirthto.com

rip-online.com

lm-safe-keepingtoyof6.xyz

plumbtechconsulting.com

jgoerlach.com

inbloomsolutions.com

foxandmew.com

tikomobile.store

waybunch.com

thepatriottutor.com

qask.top

pharmacylinked.com

ishii-miona.com

sugarandrocks.com

anabolenpower.net

Targets

    • Target

      Purchase_order_21518..xlsx

    • Size

      369KB

    • MD5

      ed8f6c80d452216334d567e436083218

    • SHA1

      920f2cf0d8c596bbeaa1b8c02fcf021b63b15e3e

    • SHA256

      29dd041104753d8f02fdab92cb502f4c263c8e22605bd5ddeb352b416cc9044d

    • SHA512

      993dfd924731f6b4eb5453a2e9483427dba79d70849b20678f9e8f68f09a7266714c07989687d78df6877266743bc244444fbf0d7ab848449273bf1b54023446

    Score
    10/10
    xloadermwevloaderpersistencerat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks