General

  • Target

    PO P232-2111228.xlsx

  • Size

    228KB

  • Sample

    211125-vf983sbbg9

  • MD5

    fe245cc71a6aaff582e5c14d1cb4f79e

  • SHA1

    5ad55c5abb60501750e154c12eca4347cd07ce41

  • SHA256

    9e315f448ba10b56fb6e53d39212ac98c9dc5c0c7b6dd3455f3bb65cce4a7a89

  • SHA512

    7d3be852d7850f50506fada9351e83ca0f2b3bf61d5f879c929a1deaae733921768f7332e12a22452fe5f371310b5f5d833f4937509f6964063f09475ac4e2b6

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ecaq

C2

http://www.lesventsfavorables.com/ecaq/

Decoy

hanshao886837.com

darknessinwhite.com

hermetiktipkombi.com

donalsupplies.xyz

fyourscript.com

emotionfocusedapproaches.com

companyinteldata.com

msiscripting.com

masu-masu-hitomi.com

melbourneweddingofficiant.com

trendyhunterr.com

clawfootdesigns.com

mrwhiskysteve.com

enkaguclendirme.com

ceuta-inversiones.com

gzz06j.cloud

tanahvilamalino.online

click-explore.com

quanqiu22222.com

m4ob.com

Targets

    • Target

      PO P232-2111228.xlsx

    • Size

      228KB

    • MD5

      fe245cc71a6aaff582e5c14d1cb4f79e

    • SHA1

      5ad55c5abb60501750e154c12eca4347cd07ce41

    • SHA256

      9e315f448ba10b56fb6e53d39212ac98c9dc5c0c7b6dd3455f3bb65cce4a7a89

    • SHA512

      7d3be852d7850f50506fada9351e83ca0f2b3bf61d5f879c929a1deaae733921768f7332e12a22452fe5f371310b5f5d833f4937509f6964063f09475ac4e2b6

    Score
    10/10
    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks