Overview

overview

10

Static

static

RFQ 202200... .xlsx

windows7_x64

10

RFQ 202200... .xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ 202200153149 .xlsx

  • Size

    187KB

  • Sample

    220127-qb4hhsdbck

  • MD5

    5e4f44a52133e8a610715e41c0a1f222

  • SHA1

    8d74995ad95281e2c6fa7159cb4bedffe9badfb7

  • SHA256

    380059b1975685a81a70f8a74e3a78130ce7cdc60792240dede87045bce1eb69

  • SHA512

    0ac36d121f16a20de3f22bd4455b799159ecddabc44547934e48eb6e30bc53f7297a8b148ac0e67b01fb7ab802cde07bb22383802b8b5186fec04d286bc00823

Score
10/10
xloaderi5nbloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

i5nb

Decoy

monkenram.com

ryhairclinic.com

smtrbrndmethod.com

skvela-plet.com

1sa.space

duplicatedaves.com

tudesafiofit.com

stolenartnfts.com

htmconfeccoes.com

popitparadise.com

brightlightservices.net

restaurangveckan.one

yourlittlehelp.store

vsley.com

xxxpornmodels.com

lei.ink

ouch247tap.com

paradgmpharma.com

airdrop-binance.com

hip-hopyhvqha.online

Targets

    • Target

      RFQ 202200153149 .xlsx

    • Size

      187KB

    • MD5

      5e4f44a52133e8a610715e41c0a1f222

    • SHA1

      8d74995ad95281e2c6fa7159cb4bedffe9badfb7

    • SHA256

      380059b1975685a81a70f8a74e3a78130ce7cdc60792240dede87045bce1eb69

    • SHA512

      0ac36d121f16a20de3f22bd4455b799159ecddabc44547934e48eb6e30bc53f7297a8b148ac0e67b01fb7ab802cde07bb22383802b8b5186fec04d286bc00823

    Score
    10/10
    xloaderi5nbloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks