Overview

overview

10

Static

static

lod2.xlsx

windows7_x64

10

lod2.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    lod2.xlsx

  • Size

    187KB

  • Sample

    220127-hd4bjaghfp

  • MD5

    5bba5a0571a4c6eb4b4edae51f139e37

  • SHA1

    9a1cdec33e5f6b4e678bf64330da319db4010a08

  • SHA256

    b8b900615f340542853e4dd43975d14b4366d775621b5f6d5bf491814533d2a8

  • SHA512

    b183f8e50c127797a963501af3fba715055c880d66e5761759f96c2429e84fa1df0f6265cd0934af0d48598b057eb1fc8ac752028006f0db96fe4ef8533fd000

Score
10/10
xloaderndf8loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ndf8

Decoy

cantobait.com

theangularteam.com

qq2222.xyz

floridasteamclean.com

daffodilhilldesigns.com

mindfulagilecoaching.com

xbyll.com

jessicaepedro2021.net

ccssv.top

zenginbilgiler.com

partumball.com

1681890.com

schippermediaproductions.com

m2volleyballclub.com

ooiase.com

sharingtechnology.net

kiminplaka.com

usedgeartrader.com

cosyba.com

foodfriendshipandyou.com

Targets

    • Target

      lod2.xlsx

    • Size

      187KB

    • MD5

      5bba5a0571a4c6eb4b4edae51f139e37

    • SHA1

      9a1cdec33e5f6b4e678bf64330da319db4010a08

    • SHA256

      b8b900615f340542853e4dd43975d14b4366d775621b5f6d5bf491814533d2a8

    • SHA512

      b183f8e50c127797a963501af3fba715055c880d66e5761759f96c2429e84fa1df0f6265cd0934af0d48598b057eb1fc8ac752028006f0db96fe4ef8533fd000

    Score
    10/10
    xloaderndf8loaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

      suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks