Overview

overview

10

Static

static

SOA.xlsx

windows7_x64

10

SOA.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SOA.xlsx

  • Size

    229KB

  • Sample

    211207-p6e8qshcgr

  • MD5

    967c89ec5975f4463d26a0811ba0facc

  • SHA1

    aec27ed5e87b1ae3dc63cbeb3cdf6bcdd7e08b74

  • SHA256

    4acfd899585cc3b46b0e523ba0cf61e4c78994e4ece49590323f41f8ec4c9eaf

  • SHA512

    3090eb592a3dde7e61c5f8ae7fe25b0b7288cc596638c19957a52a32ccce2b7e491fa79208aac29e4252c7a178aa23e3768d18a6f32caaebecc62f96d579fcc1

Score
10/10
xloaderea0rloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

C2

http://www.asiapubz-hk.com/ea0r/

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Targets

    • Target

      SOA.xlsx

    • Size

      229KB

    • MD5

      967c89ec5975f4463d26a0811ba0facc

    • SHA1

      aec27ed5e87b1ae3dc63cbeb3cdf6bcdd7e08b74

    • SHA256

      4acfd899585cc3b46b0e523ba0cf61e4c78994e4ece49590323f41f8ec4c9eaf

    • SHA512

      3090eb592a3dde7e61c5f8ae7fe25b0b7288cc596638c19957a52a32ccce2b7e491fa79208aac29e4252c7a178aa23e3768d18a6f32caaebecc62f96d579fcc1

    Score
    10/10
    xloaderea0rloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks