Overview

overview

10

Static

static

IMS211323.xlsx

windows7_x64

10

IMS211323.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    IMS211323.xlsx

  • Size

    440KB

  • Sample

    211028-mn68dscbd2

  • MD5

    701ebd3214408e1be59b168c7146ec68

  • SHA1

    86982833e9a8652efe8ca90c54ae87ab28b746f4

  • SHA256

    02f9d38714b8abb404c03b5250f815e60f5738ec15304d1265dbd57eb5668dc5

  • SHA512

    cef1d3cd181c663152f54616df125af3ba9e8e8113ecf97e3771e16be5e331e946876a36b83adc44ac7e0cf3783f5d31b93552b754c5c785e23a22528dd26de5

Score
10/10
xloadereuznloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

euzn

C2

http://www.heser.net/euzn/

Decoy

235296tyc.com

gold12guide.art

baibuaherb.com

weberwines.tax

chezvitoria.com

aidenb.tech

pitchdeckservice.com

surgeryforfdf.xyz

workunvaccinated.com

hrtaro.com

yourotcs.com

sonimultispecialityclinic.com

consultantadvisors.com

pentesting-consulting.com

dantechs.digital

longshifa.online

taweilai.net

imyusuke.com

cashndashfinancial.com

fasiglimt.quest

Targets

    • Target

      IMS211323.xlsx

    • Size

      440KB

    • MD5

      701ebd3214408e1be59b168c7146ec68

    • SHA1

      86982833e9a8652efe8ca90c54ae87ab28b746f4

    • SHA256

      02f9d38714b8abb404c03b5250f815e60f5738ec15304d1265dbd57eb5668dc5

    • SHA512

      cef1d3cd181c663152f54616df125af3ba9e8e8113ecf97e3771e16be5e331e946876a36b83adc44ac7e0cf3783f5d31b93552b754c5c785e23a22528dd26de5

    Score
    10/10
    xloadereuznloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks