Overview

overview

10

Static

static

CRT CO.doc

windows7_x64

1

CRT CO.doc

windows10-2004_x64

1

decrypted.xlsx

windows7_x64

10

decrypted.xlsx

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    963160d26142b6474f438817ec48eb78

  • Size

    126KB

  • Sample

    220621-rnv8cadhhm

  • MD5

    963160d26142b6474f438817ec48eb78

  • SHA1

    52fc1fa9c7583c82ad9cd490cddd3d952707fd06

  • SHA256

    af72242806490ba1f281a4c443c8441e50347f1792fb72bc6ac522d510356b1b

  • SHA512

    c3cef3309e39d2d8a2b8e729959e50a5f18444eabe59570dab1c70fc09f12308423f9fa92a2fd8bca9ba6e4798d2d960c266249b80b95e6ebaf3db783ffca5bb

Score
10/10
xloadervweqloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

vweq

Decoy

malang-media.com

mrsfence.com

lubetops.com

aitimedia.net

montecryptocapital.com

ahwmedia.com

bvmnc.site

bggearstore.com

bcsantacoloma.online

alltimephotography.com

santacruz-roofings.com

leaplifestyleenterprises.com

censovet.com

similkameenfarms.com

undisclosed.email

thetrinityco.com

rapiturs.com

jedlersdorf.info

mh7jk12e.xyz

flygurlblogwordpress.com

Targets

    • Target

      CRT CO.,=?UTF-8?B?TFREIOivouS7tyAyMkUwMDAzMDAueGxzeA==?=

    • Size

      79KB

    • MD5

      dd46ed89d3a3980b0bc2777d4add5ccc

    • SHA1

      1a2f9c8cccc09cded5d37dfa2b0d036c2c9c1aa6

    • SHA256

      15aef9c8fb1a266c387dcfa0c8f432b869f6ec38bf0cbc32a0c4165342a2f122

    • SHA512

      bbd3d46cff7b697035486ae1faff7294fbd59e3619fcb716d792c53913514be398c740271a4ae5c21aedba74daed1f3db8b10c4df6eb23be08c647e46d64dc2a

    Score
    1/10
    behavioral1behavioral2

    • Target

      decrypted

    • Size

      74KB

    • MD5

      d6292ede597ee252272ff26b3b0921ee

    • SHA1

      c30df83b8ff4b9d170e317f77f5f11256400d7f3

    • SHA256

      cca88d823b05ff47e9bc7c2d98e4f4d7f7bb31f913edc35cf2a6b5b067a1a2fa

    • SHA512

      ad707c06b15c4f7943300cbc6047fa9bb886241a36c801ac5c443bc88b28552891380f916b9e56dd14b1591e1d71060f69719feddb37d7a2f5df1416b70f9911

    Score
    10/10
    xloadervweqloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks