Overview

overview

10

Static

static

100197.doc

windows7_x64

10

100197.doc

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    100197.doc

  • Size

    190KB

  • Sample

    211110-jdj4bsdfhp

  • MD5

    a51beb4cee3604bc8ab1c7c9f5e7d5c1

  • SHA1

    22d24e750b96783e24da802dcac3e4367d83befa

  • SHA256

    59de39d60fee5b2a853c4e4bd62ce6ea5054373938b8afbb159d60102f88e989

  • SHA512

    c406ee9bfb3425caf97e26626dbba30aa7a305be0f1732f2a7b4225e877468a0b12aa531d0c495bb3aac6f192966e92daa419ec01ec94e5f5ef50a8f851fc543

Score
10/10
xloaderunznloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

unzn

C2

http://www.davanamays.com/unzn/

Decoy

xiulf.com

highcountrymortar.com

523561.com

marketingagency.tools

ganmovie.net

nationaalcontactpunt.com

sirrbter.com

begizas.xyz

missimi-fashion.com

munixc.info

daas.support

spaceworbc.com

faithtruthresolve.com

gymkub.com

thegrayverse.xyz

artisanmakefurniture.com

029tryy.com

ijuubx.biz

iphone13promax.club

techuniversus.com

Targets

    • Target

      100197.doc

    • Size

      190KB

    • MD5

      a51beb4cee3604bc8ab1c7c9f5e7d5c1

    • SHA1

      22d24e750b96783e24da802dcac3e4367d83befa

    • SHA256

      59de39d60fee5b2a853c4e4bd62ce6ea5054373938b8afbb159d60102f88e989

    • SHA512

      c406ee9bfb3425caf97e26626dbba30aa7a305be0f1732f2a7b4225e877468a0b12aa531d0c495bb3aac6f192966e92daa419ec01ec94e5f5ef50a8f851fc543

    Score
    10/10
    xloaderunznloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks