General

  • Target

    SC10641.xlsx

  • Size

    165KB

  • Sample

    220218-wd2dtsdfbr

  • MD5

    11aac7b8fe45c352c86c50c440ec5194

  • SHA1

    dae10515c53dc33378e7b5cc6e8b32b380d61c98

  • SHA256

    77c5062163c29fc069bf6b25d78284461f71028f3b688e0ac88397038e59f5ce

  • SHA512

    84cf52f480a05a3f216b27d6db7a7e73c5bc1196650e31f6cdbe2c30396f8262cc49aaa0f466758e334ee6658a8872ad42baf7e484d67e1724551a15667d62bf

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

ahc8

Decoy

192451.com

wwwripostes.net

sirikhalsalaw.com

bitterbaybay.com

stella-scrubs.com

almanecermezcal.com

goodgood.online

translate-now.online

sincerefilm.com

quadrantforensics.com

johnfrenchart.com

plick-click.com

alnileen.com

tghi.xyz

172711.com

maymakita.com

punnyaseva.com

ukash-online.com

sho-yururi-blog.com

hebergement-solidaire.com

Targets

    • Target

      SC10641.xlsx

    • Size

      165KB

    • MD5

      11aac7b8fe45c352c86c50c440ec5194

    • SHA1

      dae10515c53dc33378e7b5cc6e8b32b380d61c98

    • SHA256

      77c5062163c29fc069bf6b25d78284461f71028f3b688e0ac88397038e59f5ce

    • SHA512

      84cf52f480a05a3f216b27d6db7a7e73c5bc1196650e31f6cdbe2c30396f8262cc49aaa0f466758e334ee6658a8872ad42baf7e484d67e1724551a15667d62bf

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks