Overview

overview

10

Static

static

Envio de d...2.xlsx

windows7_x64

10

Envio de d...2.xlsx

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Envio de documento_DHL 22_02_2022.xlsx

  • Size

    186KB

  • Sample

    220223-jdl8pahch9

  • MD5

    05f91845566d3742dc8fb9443ede69f0

  • SHA1

    1d8a64bab1040ca7fd0a36fa40a4869038d54c7f

  • SHA256

    fb624084468d7c727ce92a9257781be69dac3cb13ba42bce978b56a7466aafc3

  • SHA512

    03f3c22ca3fe18566697cc26e54fe46236fa0210b4a50235e1fa18a2710d78183240551995c3d58636dabe488d7aedde389a7d0216bba3f822daaa9d53412d60

Score
10/10
xloaderyrcyloaderrat

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

yrcy

Decoy

ordermws-brands.com

jkbswj.com

dairatwsl.com

lewismiddleton.com

hevenorfeed.com

kovogueshop.com

cyberitconsultingz.com

besrbee.com

workerscompfl1.com

wayfinderacu.com

smplkindness.com

servicesitcy.com

babyvv.com

fly-crypto.com

chahuima.com

trist-n.tech

minjia56.com

oded.top

mes-dents-blanches.com

nethunsleather.com

Targets

    • Target

      Envio de documento_DHL 22_02_2022.xlsx

    • Size

      186KB

    • MD5

      05f91845566d3742dc8fb9443ede69f0

    • SHA1

      1d8a64bab1040ca7fd0a36fa40a4869038d54c7f

    • SHA256

      fb624084468d7c727ce92a9257781be69dac3cb13ba42bce978b56a7466aafc3

    • SHA512

      03f3c22ca3fe18566697cc26e54fe46236fa0210b4a50235e1fa18a2710d78183240551995c3d58636dabe488d7aedde389a7d0216bba3f822daaa9d53412d60

    Score
    10/10
    xloaderyrcyloaderrat

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks