General

  • Target

    PROFORMA INVOICE.xlsx

  • Size

    228KB

  • Sample

    211125-vgv6jsfhcm

  • MD5

    f0e46aba95165b11ad7fc84d80a73730

  • SHA1

    2ea511219e2c3d76597483c4998a2af40d821142

  • SHA256

    009dfe9d9409704671b802ddaa54ee22355f3ff41c6ef779b7e644c76466e0b0

  • SHA512

    f6ea11d97394acb2485baf3a6118e9633fe70f7ae8eef7b3f95f82839bb550374a950bf71e9a0368abd4579854fd404bf21c7eb44c5bb0666fa797f820114d57

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ht08

C2

http://www.septemberstockevent200.com/ht08/

Decoy

joye.club

istanbulemlakgalerisi.online

annikadaniel.love

oooci.com

curebase-test.com

swisstradecenter.com

hacticum.com

centercodebase.com

recbi56ni.com

mmj0115.xyz

sharpstead.com

sprklbeauty.com

progettogenesi.cloud

dolinum.com

amaroqadvisors.com

traininig.com

leewaysvcs.com

nashhomesearch.com

joy1263.com

serkanyamac.com

Targets

    • Target

      PROFORMA INVOICE.xlsx

    • Size

      228KB

    • MD5

      f0e46aba95165b11ad7fc84d80a73730

    • SHA1

      2ea511219e2c3d76597483c4998a2af40d821142

    • SHA256

      009dfe9d9409704671b802ddaa54ee22355f3ff41c6ef779b7e644c76466e0b0

    • SHA512

      f6ea11d97394acb2485baf3a6118e9633fe70f7ae8eef7b3f95f82839bb550374a950bf71e9a0368abd4579854fd404bf21c7eb44c5bb0666fa797f820114d57

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks