Overview

overview

10

Static

static

产品清...0.xlsx

windows7_x64

10

产品清...0.xlsx

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    产品清单及规格062020.xlsx

  • Size

    71KB

  • Sample

    220620-k7crsabgfr

  • MD5

    22e0fa1af69bce34ae6db284248231a8

  • SHA1

    6b5888b353dd35301e61f25a7bff0e932a4eab85

  • SHA256

    0fb1ed273eebef5a4de0a4e3cf1d8e1a2a897ff195bc1348d2a00995fc473958

  • SHA512

    32c0ff6f665c910e18fc3a2c1f5c999983d85bd9d97096b0cb4fcc477453260c62aac952783be64bb22899e2567fbff61ad80fc82bcf91b0184b6232097ff9b1

Score
10/10
xloadervweqloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

vweq

Decoy

malang-media.com

mrsfence.com

lubetops.com

aitimedia.net

montecryptocapital.com

ahwmedia.com

bvmnc.site

bggearstore.com

bcsantacoloma.online

alltimephotography.com

santacruz-roofings.com

leaplifestyleenterprises.com

censovet.com

similkameenfarms.com

undisclosed.email

thetrinityco.com

rapiturs.com

jedlersdorf.info

mh7jk12e.xyz

flygurlblogwordpress.com

Targets

    • Target

      产品清单及规格062020.xlsx

    • Size

      71KB

    • MD5

      22e0fa1af69bce34ae6db284248231a8

    • SHA1

      6b5888b353dd35301e61f25a7bff0e932a4eab85

    • SHA256

      0fb1ed273eebef5a4de0a4e3cf1d8e1a2a897ff195bc1348d2a00995fc473958

    • SHA512

      32c0ff6f665c910e18fc3a2c1f5c999983d85bd9d97096b0cb4fcc477453260c62aac952783be64bb22899e2567fbff61ad80fc82bcf91b0184b6232097ff9b1

    Score
    10/10
    xloadervweqloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks