Overview

overview

10

Static

static

PAYMENT INVOICE.xlsx

windows7_x64

10

PAYMENT INVOICE.xlsx

windows10-2004_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PAYMENT INVOICE.xlsx

  • Size

    95KB

  • Sample

    220120-x8c56abcf6

  • MD5

    4891415ab0895f94954e864fbb22fdd0

  • SHA1

    7fca6e7716ad0460124fe10904cae6ec81332a67

  • SHA256

    7d1b0018f19ea705eca5d476f4d2aa2cb8899b269b99df63185aa8a3faa1b9f1

  • SHA512

    953ea3728ded97668c28864338c1db65faa77a679a317433bab5e560d1d1e382d01d51e9b82aae15a453df44118f975daf8ce53f64c02b30af4b8c21924c8386

Score
10/10
xloadernt3floaderpersistencerat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Targets

    • Target

      PAYMENT INVOICE.xlsx

    • Size

      95KB

    • MD5

      4891415ab0895f94954e864fbb22fdd0

    • SHA1

      7fca6e7716ad0460124fe10904cae6ec81332a67

    • SHA256

      7d1b0018f19ea705eca5d476f4d2aa2cb8899b269b99df63185aa8a3faa1b9f1

    • SHA512

      953ea3728ded97668c28864338c1db65faa77a679a317433bab5e560d1d1e382d01d51e9b82aae15a453df44118f975daf8ce53f64c02b30af4b8c21924c8386

    Score
    10/10
    xloadernt3floaderratpersistence

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Sets service image path in registry

      persistence

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks