Romai Sports LLC Presentation 1.xlsx

General
Target

Romai Sports LLC Presentation 1.xlsx

Size

369KB

Sample

211021-wlbhdabebk

Score
10 /10
MD5

f7f005fadf80e48c5deda7686b478da1

SHA1

67f72bcc1f885d3e6ca81b2297ec1fd9c5924fb9

SHA256

4015c5ebb42790e7499366372aa4dbaac51dfc6ab790f7687b10311a08ce1f57

SHA512

cbddcf8cca06d3079dcc82994b33d0f6fe08a6257862ca360226561d1013af06e290fb239f2f29e4d60eaabc57b6d3bc963b948f61b1567a76001be27b42eb7a

Malware Config

Extracted

Family xloader
Version 2.5
Campaign sb6n
C2

http://www.best5amazon.com/sb6n/

Decoy

bogosamba.com

inmobiliariapuertalavilla.com

nopressurewellness.com

hairshopamity.com

epicmoments360.com

tutorgpa.com

fucibou.xyz

135631.com

portraydashcam.com

raqsarabia.com

okantis.net

vongquaykimcuongfreefire.online

prodom.online

5537sbishop.info

lisakenneyinc.com

fivetime.xyz

borzv.com

joungla.com

mas-urbano.com

sjczyw.com

kanesia.com

cursovendasafiliagram.website

lumledstore.com

id-434563.site

tinkerform.com

chainedorchange.com

147149cale.com

windmillbusiness.com

moccocity.com

linkinsense.net

asportrans.com

texasmotorcycletransport.com

unviajeinsospechado.com

rishaande.tech

happylifecompanies.com

thewtot.com

homeyhousy.com

schoolx.space

gr-pcs.com

bedrocksolution.net

investorsbamk.com

rewoodlovro.quest

scratchforce.com

roosteco.com

zacharyparkerporward5.com

itranslate.club

mastessrhalco.com

jytyxyc.xyz

theelegantflamestore.com

grausalvarez.com

Targets
Target

Romai Sports LLC Presentation 1.xlsx

MD5

f7f005fadf80e48c5deda7686b478da1

Filesize

369KB

Score
10/10
SHA1

67f72bcc1f885d3e6ca81b2297ec1fd9c5924fb9

SHA256

4015c5ebb42790e7499366372aa4dbaac51dfc6ab790f7687b10311a08ce1f57

SHA512

cbddcf8cca06d3079dcc82994b33d0f6fe08a6257862ca360226561d1013af06e290fb239f2f29e4d60eaabc57b6d3bc963b948f61b1567a76001be27b42eb7a

Tags

Signatures

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Description

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • Xloader Payload

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation
                  Tasks

                  static1

                  behavioral2

                  1/10