General
Target

100197.doc

Size

190KB

Sample

211110-jdj4bsdfhp

Score
10/10
MD5

a51beb4cee3604bc8ab1c7c9f5e7d5c1

SHA1

22d24e750b96783e24da802dcac3e4367d83befa

SHA256

59de39d60fee5b2a853c4e4bd62ce6ea5054373938b8afbb159d60102f88e989

SHA512

c406ee9bfb3425caf97e26626dbba30aa7a305be0f1732f2a7b4225e877468a0b12aa531d0c495bb3aac6f192966e92daa419ec01ec94e5f5ef50a8f851fc543

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

unzn

C2

http://www.davanamays.com/unzn/

Decoy

xiulf.com

highcountrymortar.com

523561.com

marketingagency.tools

ganmovie.net

nationaalcontactpunt.com

sirrbter.com

begizas.xyz

missimi-fashion.com

munixc.info

daas.support

spaceworbc.com

faithtruthresolve.com

gymkub.com

thegrayverse.xyz

artisanmakefurniture.com

029tryy.com

ijuubx.biz

iphone13promax.club

techuniversus.com

samrgov.xyz

grownupcurl.com

sj0755.net

beekeeperkit.com

richessesabondantes.com

xclgjgjh.net

webworkscork.com

vedepviet365.com

bretabeameven.com

cdzsmhw.com

clearperspective.biz

tigrg5g784sh.biz

bbezan011.xyz

mycar.store

mansooralobeidli.com

ascensionmemberszoom.com

unlimitedrehab.com

wozka.top

askylarkgoods.com

rj793.com

prosvalor.com

primetimeexpress.com

boixosnoisperu.com

mmasportgear.com

concertiranian.net

hyponymys.info

maila.one

yti0fyic.xyz

shashiprayag.com

speedprosmotorsports.com

Targets
Target

100197.doc

MD5

a51beb4cee3604bc8ab1c7c9f5e7d5c1

Filesize

190KB

Score
10/10
SHA1

22d24e750b96783e24da802dcac3e4367d83befa

SHA256

59de39d60fee5b2a853c4e4bd62ce6ea5054373938b8afbb159d60102f88e989

SHA512

c406ee9bfb3425caf97e26626dbba30aa7a305be0f1732f2a7b4225e877468a0b12aa531d0c495bb3aac6f192966e92daa419ec01ec94e5f5ef50a8f851fc543

Tags

Signatures

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    Score
                    N/A

                    behavioral1

                    Score
                    10/10

                    behavioral2

                    Score
                    1/10