General

  • Target

    SRL INJOUGH Oferty.xlsx

  • Size

    183KB

  • Sample

    220513-rwzwhabdfr

  • MD5

    e2f9f7205237d66d1bf38afe6c640339

  • SHA1

    8ca995164a3c4ef2e9bc5c95ee124872391deaa7

  • SHA256

    48af10595cf68328465412bae7225b4c5da1f4394ddaa58735b15e062c502329

  • SHA512

    ae47a6060cd11366865bc4f90c4203042f59f89dfbb57def54a1dcc5794f287233887b087802928672e76649525877f01587c85650274191730a935441cf9d1a

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

arh2

Decoy

hstorc.com

blackountry.com

dhrbakery.com

dezhouofit.com

defipayout.xyz

ginas4t.com

byzbh63.xyz

qrcrashview.com

mialibaby.com

enhaut.net

samainnova.com

yashveerresort.com

delfos.online

dungcumay.com

lj-counseling.net

fliptheswitch.pro

padogbitelawyer.com

aticarev.com

sederino.site

bestplansforpets-japan3.life

Targets

    • Target

      SRL INJOUGH Oferty.xlsx

    • Size

      183KB

    • MD5

      e2f9f7205237d66d1bf38afe6c640339

    • SHA1

      8ca995164a3c4ef2e9bc5c95ee124872391deaa7

    • SHA256

      48af10595cf68328465412bae7225b4c5da1f4394ddaa58735b15e062c502329

    • SHA512

      ae47a6060cd11366865bc4f90c4203042f59f89dfbb57def54a1dcc5794f287233887b087802928672e76649525877f01587c85650274191730a935441cf9d1a

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • Target

      decrypted

    • Size

      177KB

    • MD5

      ed6cfe2f33c53a2f00b89df64378d92d

    • SHA1

      9887eb84bad60aeb24118f376ed20653b529ff01

    • SHA256

      8bd763832d675d199f3e2b74daf55d3e575a6f1c40b9e51f00dfa2e7703d9d9d

    • SHA512

      bb1182e7ba03becd8c2a6cfb911d1b9cf4dfe353320afd1053ed8094d5015cf1855480cb1f03c535920787dc250e880219f20b226f9ea2510e6e31a36277fec7

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

2
T1064

Exploitation for Client Execution

2
T1203

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Scripting

2
T1064

Modify Registry

3
T1112

Discovery

System Information Discovery

6
T1082

Query Registry

4
T1012

Tasks