General

  • Target

    IRD-N. 8800.xlsx

  • Size

    260KB

  • Sample

    220617-gqwa1safep

  • MD5

    7b2653d169de8630b50f5370efaf5e10

  • SHA1

    2f3f890d6ca60b747b086937f01976891da9ee2a

  • SHA256

    f123bc28888e9864f76f3043d6d827f99d76c3ea366a0ea61d1081c941801388

  • SHA512

    46b4f452000b6d3931dd85931725fe02b82dcd6fb6dcc0fe3db6e2a195052dee5a863135e64fd6cea76fa484b47135da12efd1f1c6d233b47e12546e8b080fd7

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

qm5s

Decoy

0hik40Q3UhxPsw==

JISUEx3s7xDypTBW

i9pv35p8mq/efPnMnjc1

d4OyCX3u9cQP8Lg=

2BLgZcivstP+

pAC7/mJD57GtLrGkijZAM4GQ

oa5Jvt6QpWLmu4hJ7A==

zQh+7kjKwlHfu4hJ7A==

v7xT2kCqy/QN7sKJtRpBtXbvxmvJiZRxjA==

JR0YYed9qFflu4hJ7A==

ovXuQiQQExpJ43yWMufw6X0FblY+

TJrP8LKDiabXu7dZ8Q==

EWVThU33hz1SKSGFmuk=

U5hFmhXVHoMVpA==

DUAxo4ghz4lpeLBV5Zm2Cnbbzhw3

3EbjPYoyPdZ9SDxzAIvOlUCY

2AGmAHBX0neTLcX9lRt2xUTLiuNcRrw=

dGMClACgFTrpu4hJ7A==

S0XMDQKAN2zzlQ4oz4HOlUCY

IUfZIC6jOFTjvP6U8yd3Mw==

Targets

    • Target

      IRD-N. 8800.xlsx

    • Size

      260KB

    • MD5

      7b2653d169de8630b50f5370efaf5e10

    • SHA1

      2f3f890d6ca60b747b086937f01976891da9ee2a

    • SHA256

      f123bc28888e9864f76f3043d6d827f99d76c3ea366a0ea61d1081c941801388

    • SHA512

      46b4f452000b6d3931dd85931725fe02b82dcd6fb6dcc0fe3db6e2a195052dee5a863135e64fd6cea76fa484b47135da12efd1f1c6d233b47e12546e8b080fd7

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks