Overview

overview

10

Static

static

documents.xlsx

windows7_x64

10

documents.xlsx

windows10-2004_x64

4

Sharing

Copy URL
Twitter E-mail

General

  • Target

    documents.xlsx

  • Size

    187KB

  • Sample

    220208-bl9d7abedp

  • MD5

    bdee9442c6c00c66cae6a2966e21c959

  • SHA1

    10f51a298ab9bd1a20197593a5d45eeb62e52570

  • SHA256

    1299c1168e4958567314cc8109e37b20c5511002770554988a6fa25cb8e5aa4f

  • SHA512

    89a3d65b3b95d17e184b11c69dbec4c11cc9f834cacb8122e7751eeae2d859cb1bcf862a6a0783edcb826a0052783b181e4957b40822bff3489ca50203d88f3d

Score
10/10
xloaderjdo2loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

jdo2

Decoy

adopte-un-per.com

lmandarin.com

shonemurawni.quest

bantasis.com

jsdigitalekuns.net

hiddenroom.net

arungjerampangalengan.com

yinghongxw.com

buzzcupid.com

lattent.digital

faxtoemailguide.com

romanticfriryrose.com

ruleaou.com

mochiko-blog.com

sekireixploit.com

bcx-wiremesh.com

jobportalsg.com

wysspirit.com

iflycny.com

sh-cy17.com

Targets

    • Target

      documents.xlsx

    • Size

      187KB

    • MD5

      bdee9442c6c00c66cae6a2966e21c959

    • SHA1

      10f51a298ab9bd1a20197593a5d45eeb62e52570

    • SHA256

      1299c1168e4958567314cc8109e37b20c5511002770554988a6fa25cb8e5aa4f

    • SHA512

      89a3d65b3b95d17e184b11c69dbec4c11cc9f834cacb8122e7751eeae2d859cb1bcf862a6a0783edcb826a0052783b181e4957b40822bff3489ca50203d88f3d

    Score
    10/10
    xloaderjdo2loaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

      suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks