General

  • Target

    LibertyInsuranceCustomerInvoice.doc.xlsx

  • Size

    71KB

  • Sample

    220621-pea5psffg5

  • MD5

    aedfb52791a420327c6a8ce3faa662b3

  • SHA1

    9a1815c8af55e41dc83a79c33f37b67048f0b49c

  • SHA256

    6104f7a9a6b6aea3bbf732dba31520ed3be11e00126d350106dfdcf62cbc6f45

  • SHA512

    73a69ad4c888290ab4ff5c32024d3b82aed5aa317300d43ed0700dbee4dcc88620270ab7be25bfd3c427e5eb2cb94445c217a42cc4c2873f4116c916f84cba2c

Malware Config

Extracted

Family

xloader

Version

2.8

Campaign

uem3

Decoy

AKGB4wSx6J+2x1WgKQ==

54dc0yNdRnO/FCSAQeL+Tp0=

ZRLkrEHNZ1d1yg==

mubhdcr1EugF/who

GKVThpCZVtY9m+c1Fos=

nkctk6m82Pno8fVf1ydrfAATjEJvRDxWwYwVjxGMIA==

pvFvmLjefiJ5IWvPaWSZKCk4

L7Vhm+sduit68jRIH4k=

hL6j/yJOaBqxEBE=

0ehJg24Ot+O6+glq

fLuQ9QUfvhqxEBE=

kj8Tk+ks8qO0BjegJAVIRvzyF7hxyblXhHMLjxGMIA==

fbEsS1zjAndVOUuKJh2HnGWtnmQg

CrSJBiq9FEgbO3iXjYHq

349o4SvGd6ONa4baf26ZKCk4

f703eo4Wud/r5v9BL+L+Tp0=

OFi0/02FMpps+gg=

+jsvlbdP/aqW1gY=

ZpHdFzM396f6oDRIH4k=

YWfAF3GfNaPzWVnHTTSEkmOtnmQg

Targets

    • Target

      LibertyInsuranceCustomerInvoice.doc.xlsx

    • Size

      71KB

    • MD5

      aedfb52791a420327c6a8ce3faa662b3

    • SHA1

      9a1815c8af55e41dc83a79c33f37b67048f0b49c

    • SHA256

      6104f7a9a6b6aea3bbf732dba31520ed3be11e00126d350106dfdcf62cbc6f45

    • SHA512

      73a69ad4c888290ab4ff5c32024d3b82aed5aa317300d43ed0700dbee4dcc88620270ab7be25bfd3c427e5eb2cb94445c217a42cc4c2873f4116c916f84cba2c

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks