General

  • Target

    Order Confirmation nr. 2021-O-1274.xlsx

  • Size

    797KB

  • Sample

    211214-qg8pesggcq

  • MD5

    f2c6d74d9faa8dd958dbd50101a95792

  • SHA1

    489079097bc05626dccd8d6079e925079305ca43

  • SHA256

    0f4df99356c9f5c4d67b60d3a7d352782aa83ea82057716eb706d480c8616b26

  • SHA512

    43183d5b1bd787789ffd40d323b1f236c246ddabcbde366671c34d7b733fb94c470839c9810d7cd4f0338ea235052b7c860e9ec1b15a1b8c414e7aec3b86ed2e

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

fqiq

C2

http://www.esyscoloradosprings.com/fqiq/

Decoy

driventow.com

ipatchwork.today

bolder.equipment

seal-brother.com

mountlaketerraceapartments.com

weeden.xyz

sanlifalan.com

athafood.com

isshinn1.com

creationslazzaroni.com

eclecticrenaissancewoman.com

satellitephonstore.com

cotchildcare.com

yamacorp.digital

ff4cuno43.xyz

quicksticks.community

govindfinance.com

farmersfirstseed.com

megacinema.club

tablescaperendezvous4two.com

Targets

    • Target

      Order Confirmation nr. 2021-O-1274.xlsx

    • Size

      797KB

    • MD5

      f2c6d74d9faa8dd958dbd50101a95792

    • SHA1

      489079097bc05626dccd8d6079e925079305ca43

    • SHA256

      0f4df99356c9f5c4d67b60d3a7d352782aa83ea82057716eb706d480c8616b26

    • SHA512

      43183d5b1bd787789ffd40d323b1f236c246ddabcbde366671c34d7b733fb94c470839c9810d7cd4f0338ea235052b7c860e9ec1b15a1b8c414e7aec3b86ed2e

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks