General

  • Target

    swift_5466535-9868655_45456.xlsx

  • Size

    52KB

  • Sample

    220616-hwg61sagf4

  • MD5

    a96ddbe347e32231c69661c2378b6f8f

  • SHA1

    08121d6e2283c1369fc68c5a16570286895d5df0

  • SHA256

    18b9c1cf9230f3c1d68056d6c17e050548ab2d62e545ba3063bb03777383e9bf

  • SHA512

    8a61b2452671b8e2a54bf968360f5a377ecfef798a634463cdf7e9102980a339409c19b0f9e386b111007a6581e851556d0b150e44725aa23c1fcdf22e20fa86

Malware Config

Extracted

Family

xloader

Version

2.5

Campaign

r87g

Decoy

gzjyjzsj.com

rapibest.com

affordablebathroomsbyfrank.net

roboruben.com

xn--dlisucr-byag.com

encoreasso.com

piscire.com

dixiebusybee.com

newrome.xyz

sunshinejon.com

glacierforfcs.xyz

borhanmarket.com

tous-des-cons.club

hsfstea.com

spiniform.info

vaicomfibra.com

shinigami.xyz

kryptoindia.com

listentoappetite.com

securepplpay.com

Targets

    • Target

      swift_5466535-9868655_45456.xlsx

    • Size

      52KB

    • MD5

      a96ddbe347e32231c69661c2378b6f8f

    • SHA1

      08121d6e2283c1369fc68c5a16570286895d5df0

    • SHA256

      18b9c1cf9230f3c1d68056d6c17e050548ab2d62e545ba3063bb03777383e9bf

    • SHA512

      8a61b2452671b8e2a54bf968360f5a377ecfef798a634463cdf7e9102980a339409c19b0f9e386b111007a6581e851556d0b150e44725aa23c1fcdf22e20fa86

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks