Overview

overview

10

Static

static

10

scanjet 02...1.docx

windows7_x64

10

scanjet 02...1.docx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    scanjet 025001921.docx

  • Size

    10KB

  • Sample

    211025-chvbjagdel

  • MD5

    58c99415952066ce2de643366e6690b8

  • SHA1

    ddc5fc30f556e6d597a0db1a06f9b514528b38fc

  • SHA256

    4c882c0d1ea5a377d8f3f46e429205ac1842276fcb7c2ceb5f3f466292acee3b

  • SHA512

    df37b491a9d7bb934ec68bd4675773748e702e7ec1f3422e0f1ab7f86af8d5f5143455f9320b25961a7377aa28a4a7d35d0765cda5d659e94963a2d7a1974b11

Score
10/10
xloaderfpdiloaderratsuricatawebsettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

http://104.168.32.55/..-.-.-.-...-------------------wii...................wiz........wii.wiz......wii.......wiz/...-------.-.-.-.-.-.....................wii.wiz......wiz............wi.wiz...........wiz

Extracted

Family

xloader

Version

2.5

Campaign

fpdi

C2

http://www.walletwriter.space/fpdi/

Decoy

jencio.com

b9jty7.com

banahinvestments.com

capitolfurniture.net

jlvip1086.com

pompeyocargo.com

designbyshubhi.info

elbauldepecas.com

bracelexx.online

advanceporbrx.xyz

ruihongco.com

wipemirecord.com

goodfoodsme.com

sommpick.com

rangilugujarat.com

realestate5g.com

spunkdlashes.com

palisadestahoehousing.com

brandingsocal.com

privatejetsboston.com

Targets

    • Target

      scanjet 025001921.docx

    • Size

      10KB

    • MD5

      58c99415952066ce2de643366e6690b8

    • SHA1

      ddc5fc30f556e6d597a0db1a06f9b514528b38fc

    • SHA256

      4c882c0d1ea5a377d8f3f46e429205ac1842276fcb7c2ceb5f3f466292acee3b

    • SHA512

      df37b491a9d7bb934ec68bd4675773748e702e7ec1f3422e0f1ab7f86af8d5f5143455f9320b25961a7377aa28a4a7d35d0765cda5d659e94963a2d7a1974b11

    Score
    10/10
    xloaderfpdiloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks