Overview

overview

10

Static

static

TW0091.xlsx

windows7_x64

10

TW0091.xlsx

windows10-2004_x64

4

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TW0091.xlsx

  • Size

    187KB

  • Sample

    220211-wmgqsaeegl

  • MD5

    41521b74c54998dcd1460d444b07c5f1

  • SHA1

    29dcf07f9964a0c2a36defa2935441f559fe7cd2

  • SHA256

    91cf449506a9c3ade639027f6a38e99ee22d9cc7c2a1c4bc42fc8047185b8918

  • SHA512

    8841ddad3690fb1c1436331b03ac26a356f0ff32ab5df923770da4af94785ee5d73cf0f68367cdb2bd3c31922f8be8726004e737753b11c9b32959f71155466d

Score
10/10
formbookxloaderb80iloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

b80i

Decoy

junkremovallawrencevillega.com

almihdar.com

libertymarket.net

daxvip.com

smartxbusinessnetwork.com

aanhanger-verhuur.com

nigerianspecialtyfoods.com

springeqx.com

jmwimpactrecovery.com

teamindus.net

cannabisconnecticut.net

50mpt.xyz

southstarfenceny.com

allisonwinterdesign.com

appsforbusiness.pro

rampi6.com

dusa.codes

firstclassrealtynj.com

curativecarnivore.com

verzeker.xyz

Targets

    • Target

      TW0091.xlsx

    • Size

      187KB

    • MD5

      41521b74c54998dcd1460d444b07c5f1

    • SHA1

      29dcf07f9964a0c2a36defa2935441f559fe7cd2

    • SHA256

      91cf449506a9c3ade639027f6a38e99ee22d9cc7c2a1c4bc42fc8047185b8918

    • SHA512

      8841ddad3690fb1c1436331b03ac26a356f0ff32ab5df923770da4af94785ee5d73cf0f68367cdb2bd3c31922f8be8726004e737753b11c9b32959f71155466d

    Score
    10/10
    formbookxloaderb80iloaderpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks