General

  • Target

    Invoice.xlsx

  • Size

    52KB

  • Sample

    220616-tkzgpsfhdm

  • MD5

    a4cbbe44e9e450bf833ac7d6d80b66ff

  • SHA1

    8cf86519f02ea92bcb6ce25a371f9aee39db756a

  • SHA256

    661ee56016a29d2248e0f005e1076cd75669554e557a199347e401c5f15ce0ef

  • SHA512

    c406a108eb48e66315f26e93dca92325b395ae46b85b1ec0196498794b6ea1b461b72d1bc484129a7228f49261f4dadccc8d207f62baaa61e28a62adb21672ce

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

tpix

Decoy

jsbbfp2p.com

bioindonbest.com

shjgswkj.com

melaninexperience.com

businessbancomat.com

kaatsu-chiro-studio.com

simplybans.com

ncdm.xyz

assistedlivingabuse.com

stacykinglc.com

oklahomahomesbytamara.net

magneticcompany.com

forwardinchristmagazine.com

tomasarkar.com

atterwet.xyz

day70.com

charlysstore.com

homestartuganda.com

alternative-nursing.com

novamateria-vida.xyz

Targets

    • Target

      Invoice.xlsx

    • Size

      52KB

    • MD5

      a4cbbe44e9e450bf833ac7d6d80b66ff

    • SHA1

      8cf86519f02ea92bcb6ce25a371f9aee39db756a

    • SHA256

      661ee56016a29d2248e0f005e1076cd75669554e557a199347e401c5f15ce0ef

    • SHA512

      c406a108eb48e66315f26e93dca92325b395ae46b85b1ec0196498794b6ea1b461b72d1bc484129a7228f49261f4dadccc8d207f62baaa61e28a62adb21672ce

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Looks for VirtualBox Guest Additions in registry

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks