Purchase_order_21518..xlsx

General
Target

Purchase_order_21518..xlsx

Size

369KB

Sample

211021-wlbhdaaeh4

Score
10 /10
MD5

ed8f6c80d452216334d567e436083218

SHA1

920f2cf0d8c596bbeaa1b8c02fcf021b63b15e3e

SHA256

29dd041104753d8f02fdab92cb502f4c263c8e22605bd5ddeb352b416cc9044d

SHA512

993dfd924731f6b4eb5453a2e9483427dba79d70849b20678f9e8f68f09a7266714c07989687d78df6877266743bc244444fbf0d7ab848449273bf1b54023446

Malware Config

Extracted

Family xloader
Version 2.5
Campaign mwev
C2

http://www.scion-go-getter.com/mwev/

Decoy

9linefarms.com

meadow-spring.com

texascountrycharts.com

chinatowndeliver.com

grindsword.com

thegurusigavebirthto.com

rip-online.com

lm-safe-keepingtoyof6.xyz

plumbtechconsulting.com

jgoerlach.com

inbloomsolutions.com

foxandmew.com

tikomobile.store

waybunch.com

thepatriottutor.com

qask.top

pharmacylinked.com

ishii-miona.com

sugarandrocks.com

anabolenpower.net

my9m.com

ywboxiong.xyz

primetire.net

yshxdys.com

royallecleaning.com

xtrategit.com

almashrabia.net

bundlezandco.com

sandman.network

vinhomes-grand-park.com

jbarecipes.com

squareleatherbox.net

breathechurch.digital

wodemcil.com

carthy.foundation

galimfish.com

reflectbag.com

lheteclase.quest

yourvirtualevent.services

custercountycritique.com

liyahgadgets.com

sweetascaramelllc.com

lzgirlz.com

flydubaime.com

aanhanger-verhuur.com

schooldiry.com

theroadtorodriguez.com

mrteez.club

gxystgs.com

runz.online

Targets
Target

Purchase_order_21518..xlsx

MD5

ed8f6c80d452216334d567e436083218

Filesize

369KB

Score
10 /10
SHA1

920f2cf0d8c596bbeaa1b8c02fcf021b63b15e3e

SHA256

29dd041104753d8f02fdab92cb502f4c263c8e22605bd5ddeb352b416cc9044d

SHA512

993dfd924731f6b4eb5453a2e9483427dba79d70849b20678f9e8f68f09a7266714c07989687d78df6877266743bc244444fbf0d7ab848449273bf1b54023446

Tags

Signatures

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • Xloader Payload

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Tasks

                  static1

                  behavioral2

                  1/10