General

  • Target

    Quotation AE2101137.xlsx

  • Size

    229KB

  • Sample

    211203-lt1gcsgacn

  • MD5

    158f55903022c000c60f0ba472d13787

  • SHA1

    9a14ad63984f9971819027d959f7763374445d0f

  • SHA256

    caab998f9dd9e1963ac2c5a0dcab660557e3cfbe40c4c79b1eb50e18a2353ff7

  • SHA512

    5ae54bdbeeaf5b10241ae6913ac2027900101959da1087ccf4750703f47580ddecf2c9f4890ef1fcc0da5230d9bee9df3a840018c51f11073f5200f8b0b6456d

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Targets

    • Target

      Quotation AE2101137.xlsx

    • Size

      229KB

    • MD5

      158f55903022c000c60f0ba472d13787

    • SHA1

      9a14ad63984f9971819027d959f7763374445d0f

    • SHA256

      caab998f9dd9e1963ac2c5a0dcab660557e3cfbe40c4c79b1eb50e18a2353ff7

    • SHA512

      5ae54bdbeeaf5b10241ae6913ac2027900101959da1087ccf4750703f47580ddecf2c9f4890ef1fcc0da5230d9bee9df3a840018c51f11073f5200f8b0b6456d

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks