Overview

overview

10

Static

static

Romai Spor...1.xlsx

windows7_x64

10

Romai Spor...1.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Romai Sports LLC Presentation 1.xlsx

  • Size

    369KB

  • Sample

    211021-wlbhdabebk

  • MD5

    f7f005fadf80e48c5deda7686b478da1

  • SHA1

    67f72bcc1f885d3e6ca81b2297ec1fd9c5924fb9

  • SHA256

    4015c5ebb42790e7499366372aa4dbaac51dfc6ab790f7687b10311a08ce1f57

  • SHA512

    cbddcf8cca06d3079dcc82994b33d0f6fe08a6257862ca360226561d1013af06e290fb239f2f29e4d60eaabc57b6d3bc963b948f61b1567a76001be27b42eb7a

Score
10/10
xloadersb6nloaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

sb6n

C2

http://www.best5amazon.com/sb6n/

Decoy

bogosamba.com

inmobiliariapuertalavilla.com

nopressurewellness.com

hairshopamity.com

epicmoments360.com

tutorgpa.com

fucibou.xyz

135631.com

portraydashcam.com

raqsarabia.com

okantis.net

vongquaykimcuongfreefire.online

prodom.online

5537sbishop.info

lisakenneyinc.com

fivetime.xyz

borzv.com

joungla.com

mas-urbano.com

sjczyw.com

Targets

    • Target

      Romai Sports LLC Presentation 1.xlsx

    • Size

      369KB

    • MD5

      f7f005fadf80e48c5deda7686b478da1

    • SHA1

      67f72bcc1f885d3e6ca81b2297ec1fd9c5924fb9

    • SHA256

      4015c5ebb42790e7499366372aa4dbaac51dfc6ab790f7687b10311a08ce1f57

    • SHA512

      cbddcf8cca06d3079dcc82994b33d0f6fe08a6257862ca360226561d1013af06e290fb239f2f29e4d60eaabc57b6d3bc963b948f61b1567a76001be27b42eb7a

    Score
    10/10
    xloadersb6nloaderpersistenceratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks