General

  • Target

    4b576304c3e8983c8ac3e54b7a336dc1

  • Size

    197KB

  • Sample

    220621-rnns9sdhgr

  • MD5

    4b576304c3e8983c8ac3e54b7a336dc1

  • SHA1

    c58b1c8ab2ff3b62644452d9e7a476dd4ffab91d

  • SHA256

    e06c6c7f4d448ed82f1f1e98783a9901895a4013d554be9effd743d04b653518

  • SHA512

    bfb6aaa101c6f0ba61bc11cf2a2bbecb1eb0054e3ba6050b7fa2b74d01c576d5c86e8a952b6716d3f9ea028b12730468c80ed2153401295e3737790f8a5f3cef

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

gd9m

Decoy

screens.ma

coachingdiary.com

cannabisconsultant.xyz

sirenonthemoon.com

gabrielatrejo.com

blumenladentampa.com

sturisticosadmcancun.com

qdygo.net

nubearies.com

thedestinationcrafter.com

fastblacktv.com

sanakatha.com

birdviewsecurityandshipping.com

waterfilterhub.xyz

92658.top

xigen.xyz

barikadcrew.com

herzogbjj.com

veminis.com

thnawya.net

Extracted

Family

formbook

Version

4.1

Campaign

p94r

Decoy

great-word-to-view-today.info

godlla.com

03clqzv8.xyz

smm61.xyz

nichesplay.space

piraguacorantioquia.com

gadaimobilbpkb.com

apexindustrialsupplies.com

maryczfowler.space

signaturecreator.online

oberstolz.info

veterinaryjobsmarketplace.com

cilibao.info

21haber.xyz

soldbyannchristian.com

sman1caringin.site

cullencottage.com

sizewue4.xyz

fusioncaf.com

thesanctuaryminerals.online

Targets

    • Target

      Doc202206201627.xlsx

    • Size

      71KB

    • MD5

      1d82383a97676c0119586294847d72c4

    • SHA1

      e235ee979b771fc57a1591c3937964e8737e6522

    • SHA256

      4a484a5d70b16a279ea706a537405a9163c26fb4fdb73ffe894ba0f424e57277

    • SHA512

      0c92bdc7e80795bbf967d49238625bee28d47b43cfc8ac266e4becc6a71f6d8dd541e40e3b776ff9b22f4fdcb096c6ed18b35755af96a5a9d015eda68ff26799

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    • Target

      Inv202206201625.xlsx

    • Size

      71KB

    • MD5

      02c755a3861024c1e79118b9159c9054

    • SHA1

      a3b7119231700859502b6254b9a12cfe75daf99f

    • SHA256

      effb514af6cb0ff5315d92b990dc6e4727a2798349020a5c88b040b2f84bb849

    • SHA512

      1b4f4c07c91937c656c453f09a447b8fc70d981b7fed91e5001185b0b61d1b29eefc651d587031e99d8d2ca825eb9ff0c7906f99fcb5fb4aa6b776f91cd670aa

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

      suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Formbook Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks