Overview

overview

10

Static

static

BANK_SWIFT.xlsx

windows7_x64

10

BANK_SWIFT.xlsx

windows10_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BANK_SWIFT.xlsx

  • Size

    187KB

  • Sample

    220131-h94beagfgn

  • MD5

    eb3a7da59dc2f066fc1538b11d9bd07e

  • SHA1

    00d100c3202f7f514b3456937d68a421c032d747

  • SHA256

    5fe6f4878ea26685fda3983a0f783e08c108fd5fca87608c0b9156da55c926bf

  • SHA512

    aed30c63769a682056e749c3cbb8b8bb5d0344e924bbc1cefdf8df9d2e2f25bb9713352a472ad87ebc976613d01ee6995b0df07efee66aafd85d8cdbe8f456db

Score
10/10
xloadernt3floaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Targets

    • Target

      BANK_SWIFT.xlsx

    • Size

      187KB

    • MD5

      eb3a7da59dc2f066fc1538b11d9bd07e

    • SHA1

      00d100c3202f7f514b3456937d68a421c032d747

    • SHA256

      5fe6f4878ea26685fda3983a0f783e08c108fd5fca87608c0b9156da55c926bf

    • SHA512

      aed30c63769a682056e749c3cbb8b8bb5d0344e924bbc1cefdf8df9d2e2f25bb9713352a472ad87ebc976613d01ee6995b0df07efee66aafd85d8cdbe8f456db

    Score
    10/10
    xloadernt3floaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Scheduled Task

1
T1053

Exploitation for Client Execution

1
T1203

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks