General
Target

Sales Agreement 17-11-21.doc

Size

12KB

Sample

211118-kzf48scbck

Score
10/10
MD5

14be4834507505c85ed0790ceeebe5ba

SHA1

61e1afbec7f215e598a424614bb43df95e5d4fbc

SHA256

315b35059792a62e53ef2443f0fd5ce87509a4b7d9c84b3a679940ef785adb42

SHA512

d6172ad1f19ecb356fa3d0e5aa31d6712108fc31ae7d08b5efd9dae871666a5fb8ce60a41fd38f180135599e363d1908c4e4d34b69964dcae700f9f4fb315126

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

unzn

C2

http://www.davanamays.com/unzn/

Decoy

xiulf.com

highcountrymortar.com

523561.com

marketingagency.tools

ganmovie.net

nationaalcontactpunt.com

sirrbter.com

begizas.xyz

missimi-fashion.com

munixc.info

daas.support

spaceworbc.com

faithtruthresolve.com

gymkub.com

thegrayverse.xyz

artisanmakefurniture.com

029tryy.com

ijuubx.biz

iphone13promax.club

techuniversus.com

samrgov.xyz

grownupcurl.com

sj0755.net

beekeeperkit.com

richessesabondantes.com

xclgjgjh.net

webworkscork.com

vedepviet365.com

bretabeameven.com

cdzsmhw.com

clearperspective.biz

tigrg5g784sh.biz

bbezan011.xyz

mycar.store

mansooralobeidli.com

ascensionmemberszoom.com

unlimitedrehab.com

wozka.top

askylarkgoods.com

rj793.com

prosvalor.com

primetimeexpress.com

boixosnoisperu.com

mmasportgear.com

concertiranian.net

hyponymys.info

maila.one

yti0fyic.xyz

shashiprayag.com

speedprosmotorsports.com

Targets
Target

Sales Agreement 17-11-21.doc

MD5

14be4834507505c85ed0790ceeebe5ba

Filesize

12KB

Score
10/10
SHA1

61e1afbec7f215e598a424614bb43df95e5d4fbc

SHA256

315b35059792a62e53ef2443f0fd5ce87509a4b7d9c84b3a679940ef785adb42

SHA512

d6172ad1f19ecb356fa3d0e5aa31d6712108fc31ae7d08b5efd9dae871666a5fb8ce60a41fd38f180135599e363d1908c4e4d34b69964dcae700f9f4fb315126

Tags

Signatures

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Xloader Payload

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    Score
                    N/A

                    behavioral1

                    Score
                    10/10

                    behavioral2

                    Score
                    1/10