Overview

overview

10

Static

static

KVD 25180299.xlsx

windows7_x64

10

KVD 25180299.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    KVD 25180299.xlsx

  • Size

    488KB

  • Sample

    211028-sqr45sgegm

  • MD5

    3ea4d7fa257736ee5499186011e4de92

  • SHA1

    7c3796317e67bd5c361123e1ab88fb0a7802ede9

  • SHA256

    27b4c7536a4044b0f7a08db959059c15883e080c56f81bf2c985c377cb3ebbad

  • SHA512

    b1adcc108f65b618ada3774998c6115548bd7c8ef362306ff8b549f313e47d5294803863f1f5351dd4b01414cf86a948b3075e6b0da80860f3bbd70e898b1f3c

Score
10/10
xloaderdnz9loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dnz9

C2

http://www.chunhejingming.com/dnz9/

Decoy

rafiqueandbrothers.com

goldenpeacock.asia

youngliving1.com

rtxoffers.xyz

southernrustllc.com

becomemoreamerican.com

chrapania.com

babedad.com

dttrransportjunkremoval.com

contemporarytaste.net

windfly.online

eatnewlyone.xyz

funeralarorg.com

candlecandlesshop.com

emexcaraccessories.com

nutmegmassage.com

053152277.xyz

blissnewsletter.com

cyys23.com

dayral-review.com

Targets

    • Target

      KVD 25180299.xlsx

    • Size

      488KB

    • MD5

      3ea4d7fa257736ee5499186011e4de92

    • SHA1

      7c3796317e67bd5c361123e1ab88fb0a7802ede9

    • SHA256

      27b4c7536a4044b0f7a08db959059c15883e080c56f81bf2c985c377cb3ebbad

    • SHA512

      b1adcc108f65b618ada3774998c6115548bd7c8ef362306ff8b549f313e47d5294803863f1f5351dd4b01414cf86a948b3075e6b0da80860f3bbd70e898b1f3c

    Score
    10/10
    xloaderdnz9loaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks