General

  • Target

    IMS211323.docx

  • Size

    10KB

  • Sample

    211029-xvmsfaafcp

  • MD5

    58edad2a0b7bd0c5048bd95c93272f93

  • SHA1

    4fb040d2d994c9cdf2d8e473af6b77c199165f1c

  • SHA256

    9e5c300f78e216ccf813deabde818bc1279627e4a605258e657a4049af94c575

  • SHA512

    08e0229b0f3c38efe4501fe404174b90b5c50f6423e016ceb4187843f6c10cca2071b91f1119bdbeba68a5b1009ef3cfb800eb0d3014dde35a100d6576987cd3

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

https://sezde.com/fU5mP

Extracted

Family

xloader

Version

2.5

Campaign

euzn

C2

http://www.heser.net/euzn/

Decoy

235296tyc.com

gold12guide.art

baibuaherb.com

weberwines.tax

chezvitoria.com

aidenb.tech

pitchdeckservice.com

surgeryforfdf.xyz

workunvaccinated.com

hrtaro.com

yourotcs.com

sonimultispecialityclinic.com

consultantadvisors.com

pentesting-consulting.com

dantechs.digital

longshifa.online

taweilai.net

imyusuke.com

cashndashfinancial.com

fasiglimt.quest

Targets

    • Target

      IMS211323.docx

    • Size

      10KB

    • MD5

      58edad2a0b7bd0c5048bd95c93272f93

    • SHA1

      4fb040d2d994c9cdf2d8e473af6b77c199165f1c

    • SHA256

      9e5c300f78e216ccf813deabde818bc1279627e4a605258e657a4049af94c575

    • SHA512

      08e0229b0f3c38efe4501fe404174b90b5c50f6423e016ceb4187843f6c10cca2071b91f1119bdbeba68a5b1009ef3cfb800eb0d3014dde35a100d6576987cd3

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks