General

  • Target

    NIS10539.xlsx

  • Size

    187KB

  • Sample

    220210-l4hz3aghdp

  • MD5

    a7968f4591d286618a93ef7e3e2a6bdf

  • SHA1

    488bf2bb3e8fafe44a23bc9f2c5397a564fd6e1a

  • SHA256

    069c92a79b1da93e65e632157a3024f9c308df954bd76c507ba1b52787b6c667

  • SHA512

    9de64f674202e7767274c863158496eeb90492b7e26a381332af7aeeb41ca207cf0c41a394ef9da924d9c355df9fcd491ed74a92a9ba8ecd0a75f5840b2c1116

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Targets

    • Target

      NIS10539.xlsx

    • Size

      187KB

    • MD5

      a7968f4591d286618a93ef7e3e2a6bdf

    • SHA1

      488bf2bb3e8fafe44a23bc9f2c5397a564fd6e1a

    • SHA256

      069c92a79b1da93e65e632157a3024f9c308df954bd76c507ba1b52787b6c667

    • SHA512

      9de64f674202e7767274c863158496eeb90492b7e26a381332af7aeeb41ca207cf0c41a394ef9da924d9c355df9fcd491ed74a92a9ba8ecd0a75f5840b2c1116

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Command-Line Interface

1
T1059

Exploitation for Client Execution

1
T1203

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Discovery

System Information Discovery

4
T1082

Query Registry

2
T1012

Tasks