Overview

overview

10

Static

static

8

Drawings.xlsm

windows7_x64

10

Drawings.xlsm

windows10-2004_x64

4

Drawings2.exe

windows7_x64

10

Drawings2.exe

windows10-2004_x64

4

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8a66b21667a04908ecafa8ac112c66588101c5e314cf32ca3b628891129635eb

  • Size

    698KB

  • Sample

    220208-cv1zvacbdq

  • MD5

    843aa22495480166aff7bd3795f00b7c

  • SHA1

    902438d24a2ebe6ec8f82df17ff0a1184d5c41ba

  • SHA256

    8a66b21667a04908ecafa8ac112c66588101c5e314cf32ca3b628891129635eb

  • SHA512

    ba688f743f02b83b6f7828f20ee02a9914def4783c6b36edeb40086a1c7a616d54b03a7693d3e171489f8260ac112378dc0f8b030570302c0547c6342b2feefb

Score
10/10
xloadere68nloadermacrorat

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://cheatsheet2weightloss.com/Designs.exe

Extracted

Family

xloader

Version

2.3

Campaign

e68n

Decoy

ds3i.com

integrityconnect.info

jhpaolilo.com

aprilgraberphotography.com

globe-gist.com

blackwellheatingandcooling.com

gossgoddard.com

memoriesmade-l.com

ozsmiwd.icu

pelzerforcongress.com

infinitybytg.com

gczp22.com

logonanet.com

998899sj.com

xn--vhqqb859burbuz7jebh.com

savorysinsation.com

cumykuf.icu

ourbella.com

isurfkarma.com

thepostmail.com

Targets

    • Target

      Drawings.xlsm

    • Size

      147KB

    • MD5

      78a966dd22bc2e85d2f807e2575ea471

    • SHA1

      7daac212c4080fc4c6abc01f515c7548be710d54

    • SHA256

      a2e56ee7abc330ee99d988aee0c118f06003cd7062c3a68bedec7faa59f41f55

    • SHA512

      d945df1e709e95253a58242ac5b85f2b260c03f005aa1fbc97c01699bac33d5b87190c25ebed57bb2870b0ec91e8e09437d5a7f3e7aa2621e670856e7b07bd2c

    Score
    10/10

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    behavioral1behavioral2

    • Target

      Drawings2.exe

    • Size

      885KB

    • MD5

      e8fa281769eebdc238ff7996041239a8

    • SHA1

      603e4ccf3f9fb75ece2008fcfb39214fd4c43e02

    • SHA256

      f0898da54ae0f11c2769f71e20969563bc58e74bb1594869108b8242a9c2419b

    • SHA512

      74fc4926649b2ec0cdbab0c7e8c3c7c59fc75a4a820d9309b5358aee040c891a0e2c2ac5ceb3109eee2e4a9a0ca3dfa4d62f48746973e089595c1d08a782bfef

    Score
    10/10
    xloadere68nloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Xloader Payload

      rat

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks