Overview

overview

10

Static

static

DL03327INV.xlsx

windows7_x64

10

DL03327INV.xlsx

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DL03327INV.xlsx

  • Size

    93KB

  • Sample

    220514-qcmldscbbn

  • MD5

    5b4a67ac532a5d8900b815144f0fb845

  • SHA1

    6da306004e084780e9f57f3702a5ec22e72fff6c

  • SHA256

    98fc7157dafde651c3ab515663e3a91f034b49175e2e2495c00576c4b8e9e96d

  • SHA512

    031659b74d92911a76865b5095e75521e69e322838e8636e66e9e365b5bc5ac270f61b3c4b8831dd7d3e16a7318d4b5b3e4379ae6487e81f1faa8bd9b988164d

Score
10/10
xloadernc39loaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

nc39

Decoy

bohicaapparel.com

chilliesofwoodstock.com

szcipa.com

nirmalaswagruhafoods.com

orbitas.online

bjvxx.com

atomvpn.site

thecanvacoach.com

thewhitelounge.com

trwebz.xyz

yiwanggkm.com

maggiceden-io.com

kimyanindelisi.online

xn--e02b19uo0j.com

kaola74.top

klcsales.net

renacerdevteam.com

talkmoor.com

seobusinesslistings.com

contractornurd.com

Targets

    • Target

      DL03327INV.xlsx

    • Size

      93KB

    • MD5

      5b4a67ac532a5d8900b815144f0fb845

    • SHA1

      6da306004e084780e9f57f3702a5ec22e72fff6c

    • SHA256

      98fc7157dafde651c3ab515663e3a91f034b49175e2e2495c00576c4b8e9e96d

    • SHA512

      031659b74d92911a76865b5095e75521e69e322838e8636e66e9e365b5bc5ac270f61b3c4b8831dd7d3e16a7318d4b5b3e4379ae6487e81f1faa8bd9b988164d

    Score
    10/10
    xloadernc39loaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks