Overview

overview

10

Static

static

Payment_Invoice.xlsx

windows7_x64

10

Payment_Invoice.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment_Invoice.xlsx

  • Size

    187KB

  • Sample

    220127-qbjhcadban

  • MD5

    9f7d77c54d5ffa49ac561bb1f5706699

  • SHA1

    c5c461a81a820bd32375ff1635c98b37386b4135

  • SHA256

    2b62e99e383cc9acbcdc1db544934279d1584ab113e85b4453a04cb70b64ad96

  • SHA512

    5e2c4402dbdbc8dcbd3d9f4aaad8c3e9b9423f003d9279a3102d20e3c7ce1dd971a09f14597129e3cd4717d7adbdb76177833547c935afb4a3076fc12933de30

Score
10/10
xloadernt3floaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Targets

    • Target

      Payment_Invoice.xlsx

    • Size

      187KB

    • MD5

      9f7d77c54d5ffa49ac561bb1f5706699

    • SHA1

      c5c461a81a820bd32375ff1635c98b37386b4135

    • SHA256

      2b62e99e383cc9acbcdc1db544934279d1584ab113e85b4453a04cb70b64ad96

    • SHA512

      5e2c4402dbdbc8dcbd3d9f4aaad8c3e9b9423f003d9279a3102d20e3c7ce1dd971a09f14597129e3cd4717d7adbdb76177833547c935afb4a3076fc12933de30

    Score
    10/10
    xloadernt3floaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks