General

  • Target

    FACTURA.xlsx

  • Size

    80KB

  • Sample

    220621-pea5psddcq

  • MD5

    54471ddd206fafeba1c73948f48ef258

  • SHA1

    2f59811f4afcef21b532358025d5a355387530d4

  • SHA256

    16ea528e9912bfca30351fb41ecd54eceab33f52d011c9b68f34d122c71980ec

  • SHA512

    c7420e2b986cc61dba7b2e94394616f258a099b297dd3148f216e20d580801415b29bace9af178561a80d9c4bb38e5c421fce471c5ee54adc91b6c868775166b

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

ta3t

Decoy

breathdiagnostic.com

demo.gmbh

123y8.com

indianscoutrogue.com

jesusfiredept.com

x2-ape.net

lizuofangart.com

nerdsformula.com

pipstrips.com

overyonderhenly.com

botanicuochi.com

roomol.com

ard3ns.xyz

qbconsultancy.com

myromanticfactory.com

nailcolorgordonrdwilmington.com

3nigma.xyz

fsjjzssj.com

bigskytravel.net

musecoils.com

Targets

    • Target

      FACTURA.xlsx

    • Size

      80KB

    • MD5

      54471ddd206fafeba1c73948f48ef258

    • SHA1

      2f59811f4afcef21b532358025d5a355387530d4

    • SHA256

      16ea528e9912bfca30351fb41ecd54eceab33f52d011c9b68f34d122c71980ec

    • SHA512

      c7420e2b986cc61dba7b2e94394616f258a099b297dd3148f216e20d580801415b29bace9af178561a80d9c4bb38e5c421fce471c5ee54adc91b6c868775166b

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks