General

  • Target

    Purchase request FOR lsc-jncTrading.xlsx

  • Size

    693KB

  • Sample

    211110-zcqsgsacb9

  • MD5

    5acd1af44ebb3182c64f493e5206fa21

  • SHA1

    1f4a06f037467583b7c21d4a38b85fef98786b92

  • SHA256

    b463f0df3e6049f4e5d196946c0256b51a97447d36fffb54bccb53ecc1bb032c

  • SHA512

    388ec5bfbd6ec216fef1f2879d03e5f8aa048dd2f6018cf20e91effd4355fd2a908e8b9b69ff7117a9e8f419d382027e94f308ded1ac491df53c779439edbf6f

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

n58i

C2

http://www.makingitreignz.com/n58i/

Decoy

charlottebishop.com

afafshawwabibi.com

salomesac.com

albaelectric.info

ashcm.com

cxlgroups.com

kbittesting.com

stogelair.com

dgredg.com

smokersoutletinc.com

gdmo112.com

innovationmotive.xyz

outbarter.info

abevegege.online

peterjhill.com

fubosportsbetting.com

probristow.com

despirad.com

halloweengeneral.com

milesofsmileskinder.com

Targets

    • Target

      Purchase request FOR lsc-jncTrading.xlsx

    • Size

      693KB

    • MD5

      5acd1af44ebb3182c64f493e5206fa21

    • SHA1

      1f4a06f037467583b7c21d4a38b85fef98786b92

    • SHA256

      b463f0df3e6049f4e5d196946c0256b51a97447d36fffb54bccb53ecc1bb032c

    • SHA512

      388ec5bfbd6ec216fef1f2879d03e5f8aa048dd2f6018cf20e91effd4355fd2a908e8b9b69ff7117a9e8f419d382027e94f308ded1ac491df53c779439edbf6f

    Score
    10/10
    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Exploitation for Client Execution

1
T1203

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Tasks