Overview

overview

10

Static

static

tmp/55294d...89.xls

windows7_x64

10

tmp/55294d...89.xls

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp/55294d13ba1d75f9daa7e87c0025c3efc6092ea3de41d3807ab5f50b87df9e89.xls

  • Size

    299KB

  • Sample

    220117-rct6xaaed5

  • MD5

    5c899ea523fc5a003a2ee3de8f11bd02

  • SHA1

    ef20b0be5970fc46faa0ff9bdfcd6e00f134653f

  • SHA256

    55294d13ba1d75f9daa7e87c0025c3efc6092ea3de41d3807ab5f50b87df9e89

  • SHA512

    6ad715cb75f4bde32e4eebea96ca2f6091b68eaa6a370a0f4739edb883d72e920fe01e5b8cd110456f23d007f1b5037d0e70d62f15bbe2f40ee0e930264714db

Score
10/10
xloaderpnugloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

pnug

Decoy

natureate.com

ita-pots.website

sucohansmushroom.com

produrielrosen.com

gosystemupdatenow.online

jiskra.art

janwiench.com

norfolkfoodhall.com

iloveaddictss.com

pogozip.com

buyinstapva.com

teardirectionfreedom.xyz

0205168.com

apaixonadosporpugs.online

jawscoinc.com

crafter.quest

wikipedianow.com

radiopuls.net

kendama-co.com

goodstudycanada.com

Targets

    • Target

      tmp/55294d13ba1d75f9daa7e87c0025c3efc6092ea3de41d3807ab5f50b87df9e89.xls

    • Size

      299KB

    • MD5

      5c899ea523fc5a003a2ee3de8f11bd02

    • SHA1

      ef20b0be5970fc46faa0ff9bdfcd6e00f134653f

    • SHA256

      55294d13ba1d75f9daa7e87c0025c3efc6092ea3de41d3807ab5f50b87df9e89

    • SHA512

      6ad715cb75f4bde32e4eebea96ca2f6091b68eaa6a370a0f4739edb883d72e920fe01e5b8cd110456f23d007f1b5037d0e70d62f15bbe2f40ee0e930264714db

    Score
    10/10
    xloaderpnugloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks