Overview

overview

10

Static

static

Invoices F...r.xlsx

windows7_x64

10

Invoices F...r.xlsx

windows10-2004_x64

4

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Invoices From Last Year.xlsx

  • Size

    187KB

  • Sample

    220208-jxp4paegcm

  • MD5

    9f024bcd343054384c4309d02eb8aa11

  • SHA1

    446a3adcf4344d586b8548d36078196609e0c0b4

  • SHA256

    df737ad5d92f25da55a1bc1ec33290e0d99f958bb40cdf45788adab8fe2a3088

  • SHA512

    5dd0be5c118717be6b46d6304c36eed576e21b4bd39a778832850570b675823baaa1dcde2ec95755802293eb0f2fdac14e31f0006038136613428f3f38fd6a2f

Score
10/10
xloaderahc8loaderpersistenceratsuricata

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

methodicalservices.com

lojahelius.com

dxadxc.com

keshaunharris.club

hockeyengolfshop.online

sherranmanning.com

instylelimos.net

plick-click.com

tntexplode.com

movement-practice.net

nftlake.digital

134171.com

newhorizonseo.com

lm-solar.com

fahrrad-markt24.com

creatologiest.com

juststartmessy.com

sady-rossii-ural.com

blockchain-salt.com

bestoflakegeorge.guide

Targets

    • Target

      Invoices From Last Year.xlsx

    • Size

      187KB

    • MD5

      9f024bcd343054384c4309d02eb8aa11

    • SHA1

      446a3adcf4344d586b8548d36078196609e0c0b4

    • SHA256

      df737ad5d92f25da55a1bc1ec33290e0d99f958bb40cdf45788adab8fe2a3088

    • SHA512

      5dd0be5c118717be6b46d6304c36eed576e21b4bd39a778832850570b675823baaa1dcde2ec95755802293eb0f2fdac14e31f0006038136613428f3f38fd6a2f

    Score
    10/10
    xloaderahc8loaderpersistenceratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks