Overview

overview

10

Static

static

8

6ffda0323b...3.xlsm

windows7_x64

10

6ffda0323b...3.xlsm

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4857534413438976.zip

  • Size

    12KB

  • Sample

    211117-1mhejaeag5

  • MD5

    246f6e341a018a190858461e5d70a3d5

  • SHA1

    ab7fc9fce66be0adab63ba60bced3917af44111c

  • SHA256

    3d6efe59037f7b5399b5ca0b40fa9ed242894f5be067473ef67c415fdac3fe08

  • SHA512

    ad27e2028b5f9c1bce4ae16a868cedf42ca2a76350189eb17d086f76774e84af1b38e6e1fc97ed9b91516822feac6061f2bfbb3697aad8ca7681d53052397d93

Score
10/10
xloaderpufiloadermacrorat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://84.252.122.205/xcx/system.exe

Extracted

Family

xloader

Version

2.5

Campaign

pufi

C2

http://www.homestechs.com/pufi/

Decoy

fusiongroupgames.net

hugevari.com

rebeccagriffiths.com

trocaoferta.com

theslashapp.com

codezonesoftware.xyz

sottocommunications.com

minicreators.online

course2millions.com

hfm5n1dhkjqwpe.xyz

xlab-ub.com

silvanaribeirocake.com

thefabinteriordesign.com

mg-leadership.com

petbort.com

ndust.net

203040302.xyz

jakital.com

shophuunghia.info

rednacionaldejuecesrd.net

Targets

    • Target

      6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753

    • Size

      14KB

    • MD5

      70820ac2bb527bb0a10747a06d2c2b0b

    • SHA1

      7289b7ddcdcaa9450c27e1579f36d67a544cee80

    • SHA256

      6ffda0323b69bb875a8360bcdd18b398a463d3de88bb11e6511a3b3bffe5b753

    • SHA512

      64be67485be70ac5aa2539a88c9846282d7178e13a46895d4686ff0ce79378bf9ed4ee7bec00cb88abc0e2e8bb41a9b9ef38aa4ff25b4e4dc6334a96ad1ee4b5

    Score
    10/10
    xloaderpufiloaderrat

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks