General

  • Target

    Darko doo Ponuda.xlsx

  • Size

    208KB

  • Sample

    220510-ln6q7abbhl

  • MD5

    2cb3dc55d935fa041cc469463236c7d4

  • SHA1

    ebaa2a6e8eb071847808e233c706ce78725ecad1

  • SHA256

    9386ac01c50cc2486dd0decec3706823b016adfba3cff50ffda5ed2ddd7f52c7

  • SHA512

    db8f57ed860f14825aa1949969473b7d6d7413b3af6afb01e32a40077b96d40d186ee6300fc8a26591f73076c4cee0c8914c56bd0273e48eed507dd5c398c566

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

arh2

Decoy

hstorc.com

blackountry.com

dhrbakery.com

dezhouofit.com

defipayout.xyz

ginas4t.com

byzbh63.xyz

qrcrashview.com

mialibaby.com

enhaut.net

samainnova.com

yashveerresort.com

delfos.online

dungcumay.com

lj-counseling.net

fliptheswitch.pro

padogbitelawyer.com

aticarev.com

sederino.site

bestplansforpets-japan3.life

Targets

    • Target

      Darko doo Ponuda.xlsx

    • Size

      208KB

    • MD5

      2cb3dc55d935fa041cc469463236c7d4

    • SHA1

      ebaa2a6e8eb071847808e233c706ce78725ecad1

    • SHA256

      9386ac01c50cc2486dd0decec3706823b016adfba3cff50ffda5ed2ddd7f52c7

    • SHA512

      db8f57ed860f14825aa1949969473b7d6d7413b3af6afb01e32a40077b96d40d186ee6300fc8a26591f73076c4cee0c8914c56bd0273e48eed507dd5c398c566

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Xloader Payload

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • Target

      decrypted

    • Size

      201KB

    • MD5

      e3506e12375a78e25c3928281dd19102

    • SHA1

      94661f72f88800f105b413d7c93f9dc0a539f449

    • SHA256

      16810206b9173b8f136c97f9d73fa19570aa14c697161774b1082fbd42a0a611

    • SHA512

      083de22c84ea7ce61eddb0a5cbc7ecf2340dd708552a942713f991dd3a3a60c659ade36f9ed03bf657e707b7f275d1c6116427e5ca9d733a35cb99eafc7ac659

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

2
T1064

Command-Line Interface

1
T1059

Exploitation for Client Execution

2
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

3
T1112

Scripting

2
T1064

Discovery

System Information Discovery

6
T1082

Query Registry

3
T1012

Tasks