Overview

overview

10

Static

static

8

catalogue_...l.xlsm

windows7_x64

10

catalogue_...l.xlsm

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    catalogue_2021_samples_list_revise_ol.xlsm

  • Size

    22KB

  • Sample

    211104-g928nsdahm

  • MD5

    dcc165863b274e869ea3fcad7499b793

  • SHA1

    fb38b9c991744087932066e5e6ba9ea5377030cf

  • SHA256

    8ceae17c6a9fec00be0b94843b44fd2b19909cc080fcaa3a29a994f98ee6bc3a

  • SHA512

    5ee459191858947e3273e05e53404ef76779dce9b8f60ed2d6f0f888543af0585d1e46c3bb0e5296b2cd2c63883b6f51f8a27efff8b695e52ffaca73a1b2c10e

Score
10/10
xloaderpufiloadermacroratsuricata

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://84.252.122.23/acs/msn.exe

Extracted

Family

xloader

Version

2.5

Campaign

pufi

C2

http://www.homestechs.com/pufi/

Decoy

fusiongroupgames.net

hugevari.com

rebeccagriffiths.com

trocaoferta.com

theslashapp.com

codezonesoftware.xyz

sottocommunications.com

minicreators.online

course2millions.com

hfm5n1dhkjqwpe.xyz

xlab-ub.com

silvanaribeirocake.com

thefabinteriordesign.com

mg-leadership.com

petbort.com

ndust.net

203040302.xyz

jakital.com

shophuunghia.info

rednacionaldejuecesrd.net

Targets

    • Target

      catalogue_2021_samples_list_revise_ol.xlsm

    • Size

      22KB

    • MD5

      dcc165863b274e869ea3fcad7499b793

    • SHA1

      fb38b9c991744087932066e5e6ba9ea5377030cf

    • SHA256

      8ceae17c6a9fec00be0b94843b44fd2b19909cc080fcaa3a29a994f98ee6bc3a

    • SHA512

      5ee459191858947e3273e05e53404ef76779dce9b8f60ed2d6f0f888543af0585d1e46c3bb0e5296b2cd2c63883b6f51f8a27efff8b695e52ffaca73a1b2c10e

    Score
    10/10
    xloaderpufiloaderratsuricata

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks