Overview

overview

10

Static

static

tmp/8a3e48...5b.xls

windows7_x64

10

tmp/8a3e48...5b.xls

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp/8a3e48550ae70dc076c4f0930dbb46afb3775dcc0f038943ba93483524465c5b.xls

  • Size

    228KB

  • Sample

    211206-nwl3vsdhfr

  • MD5

    75ff2ad7562cb84499dfa0885e11813d

  • SHA1

    85693dacf816a7f5d990da174c406e950b08baf1

  • SHA256

    8a3e48550ae70dc076c4f0930dbb46afb3775dcc0f038943ba93483524465c5b

  • SHA512

    dcd0f6d8748e0af1e21551e0b9e4d06355e79d678fb008e0e026335252d67019c04aa4691b25e61de0427df69aee539d0adb9af3de57776c48ef4026e3ab367d

Score
10/10
xloadermwevloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

mwev

C2

http://www.scion-go-getter.com/mwev/

Decoy

9linefarms.com

meadow-spring.com

texascountrycharts.com

chinatowndeliver.com

grindsword.com

thegurusigavebirthto.com

rip-online.com

lm-safe-keepingtoyof6.xyz

plumbtechconsulting.com

jgoerlach.com

inbloomsolutions.com

foxandmew.com

tikomobile.store

waybunch.com

thepatriottutor.com

qask.top

pharmacylinked.com

ishii-miona.com

sugarandrocks.com

anabolenpower.net

Targets

    • Target

      tmp/8a3e48550ae70dc076c4f0930dbb46afb3775dcc0f038943ba93483524465c5b.xls

    • Size

      228KB

    • MD5

      75ff2ad7562cb84499dfa0885e11813d

    • SHA1

      85693dacf816a7f5d990da174c406e950b08baf1

    • SHA256

      8a3e48550ae70dc076c4f0930dbb46afb3775dcc0f038943ba93483524465c5b

    • SHA512

      dcd0f6d8748e0af1e21551e0b9e4d06355e79d678fb008e0e026335252d67019c04aa4691b25e61de0427df69aee539d0adb9af3de57776c48ef4026e3ab367d

    Score
    10/10
    xloadermwevloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks