General

  • Target

    Shipment Invoice Consignment Notification.xlsx

  • Size

    317KB

  • Sample

    211216-jx94vsbdg7

  • MD5

    07d13657969c09576cbb79a1f60fafad

  • SHA1

    cebdc7cc8cbbdc4ab7b20b77e4ddc65c90dae98c

  • SHA256

    c90047524c263f981bc16f205e841459673cbfe1f6ddc6cd34311e4d7311bece

  • SHA512

    dcd6b0fc4deab554bd27fd81fa0fc2a1c88c805a452a49b7d5f42905830e2a6454956857dc21b6469db2e2bffba00a842df6ef830fbcfb2754e9073fef7326a3

Score
10/10

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ea0r

Decoy

lionheartcreativestudios.com

konzertmanagement.com

blackpanther.online

broychim-int.com

takut18.com

txstarsolar.com

herdsherpa.com

igorshestakov.com

shinesbox.com

reflectpkljlt.xyz

oiltoolshub.com

viralmoneychallenge.com

changingalphastrategies.com

mecitiris.com

rdadmin.online

miniambiente.com

kominarcine.com

pino-almond.com

heihit.xyz

junqi888.com

Targets

    • Target

      Shipment Invoice Consignment Notification.xlsx

    • Size

      317KB

    • MD5

      07d13657969c09576cbb79a1f60fafad

    • SHA1

      cebdc7cc8cbbdc4ab7b20b77e4ddc65c90dae98c

    • SHA256

      c90047524c263f981bc16f205e841459673cbfe1f6ddc6cd34311e4d7311bece

    • SHA512

      dcd6b0fc4deab554bd27fd81fa0fc2a1c88c805a452a49b7d5f42905830e2a6454956857dc21b6469db2e2bffba00a842df6ef830fbcfb2754e9073fef7326a3

    Score
    10/10
    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Tasks