Overview

overview

10

Static

static

SWIFT.xlsx

windows7_x64

10

SWIFT.xlsx

windows10-2004_x64

4

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SWIFT.xlsx

  • Size

    187KB

  • Sample

    220208-v51e6scba5

  • MD5

    d3ec340f398c4b2335e9c68a92995f0f

  • SHA1

    895c8a13a0686de1192a25cddad00e6e90813211

  • SHA256

    ecc23d4e568abce507d19e32f33a6b30eda08af3946cf219b2c59115cfe5d9b4

  • SHA512

    199e3dfe3ddb20b9ebf9c805c130cd38467d448da05901b088b92f4cb11d00fd801a929f74be3a5254ffb258572880c0705b8337fb8eaec6b5d4889595b1c6fc

Score
10/10
xloadernt3floaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

nt3f

Decoy

tricyclee.com

kxsw999.com

wisteria-pavilion.com

bellaclancy.com

promissioskincare.com

hzy001.xyz

checkouthomehd.com

soladere.com

point4sales.com

socalmafia.com

libertadysarmiento.online

nftthirty.com

digitalgoldcryptostock.net

tulekiloscaird.com

austinfishandchicken.com

wlxxch.com

mgav51.xyz

landbanking.global

saprove.com

babyfaces.skin

Targets

    • Target

      SWIFT.xlsx

    • Size

      187KB

    • MD5

      d3ec340f398c4b2335e9c68a92995f0f

    • SHA1

      895c8a13a0686de1192a25cddad00e6e90813211

    • SHA256

      ecc23d4e568abce507d19e32f33a6b30eda08af3946cf219b2c59115cfe5d9b4

    • SHA512

      199e3dfe3ddb20b9ebf9c805c130cd38467d448da05901b088b92f4cb11d00fd801a929f74be3a5254ffb258572880c0705b8337fb8eaec6b5d4889595b1c6fc

    Score
    10/10
    xloadernt3floaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks