Overview

overview

10

Static

static

STATEMENT ...T.xlsx

windows7_x64

10

STATEMENT ...T.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    STATEMENT OF ACCOUNT.xlsx

  • Size

    187KB

  • Sample

    220127-qb4hhsded5

  • MD5

    66e2bb43ed1a5a87616c08672e306092

  • SHA1

    70d980e7abf781b278ef3203effd7180ffc97b19

  • SHA256

    8eb9b1f63d88f5f81ee3de3131f4387de6bd005d9b79d4a0ce3a32703e2e84ef

  • SHA512

    1381454b6378de92a0444ebd0a1fd7d8bb3c0d8603b7404d9e166a019e6ceb5743b7169626bae6b966c7a2e1a7f20a5dbd48f53abeb234e5c4a3618ce7a5bca0

Score
10/10
xloaderdpzzloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

dpzz

Decoy

roadstown.com

idfaltd.com

infotechsearchgroup.com

elcuentodelaprincesa.com

youkutiyu88.com

wildparkresort.com

iss-sa.com

jmglaser.com

criticalthinking.store

cabinetsossa.com

satseconomy.com

newendtech.com

gran-piel.com

accoya.net

timothyschmallrealt.com

valentikaeventos.com

majestineprojector.com

love-austria.com

hermetikyogusmalikombi.com

karasevda-jor.com

Targets

    • Target

      STATEMENT OF ACCOUNT.xlsx

    • Size

      187KB

    • MD5

      66e2bb43ed1a5a87616c08672e306092

    • SHA1

      70d980e7abf781b278ef3203effd7180ffc97b19

    • SHA256

      8eb9b1f63d88f5f81ee3de3131f4387de6bd005d9b79d4a0ce3a32703e2e84ef

    • SHA512

      1381454b6378de92a0444ebd0a1fd7d8bb3c0d8603b7404d9e166a019e6ceb5743b7169626bae6b966c7a2e1a7f20a5dbd48f53abeb234e5c4a3618ce7a5bca0

    Score
    10/10
    xloaderdpzzloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks