General

  • Target

    4ace262872d1fbbba4ecafabf1a256d6

  • Size

    98KB

  • Sample

    220621-rreprsgch9

  • MD5

    4ace262872d1fbbba4ecafabf1a256d6

  • SHA1

    d2dae88218ec0ceba90c703af1236c260b0b78bd

  • SHA256

    e79c14b37f3bae66bac8eb5c7ea6aafa601c6b4fc33e151ff00fb80341dacfb0

  • SHA512

    bdc510a545dd1f7623607438e39fcd9a62748bff4585f86132a4e8bfac2c65f0de3c524d2cd8da4239f6b0e885a3bc2ab572e2abe95a6196408381c20431fb8c

Malware Config

Targets

    • Target

      Purchase order.xlsx

    • Size

      71KB

    • MD5

      62e0d75168635953e8f6ec3676e5ee5e

    • SHA1

      e0d80f2d4c6f91171a42acaad942377413ad8e49

    • SHA256

      14b387257fae52d4311292395c98846292179cc26d29a5865b1e702dbafc781f

    • SHA512

      38993dc8dd600cdcca2703d3294b70a4cadd76334af07486d6a904dcaf4b89ca8d40e6ed64d154d6fc4bf98e1daaf07b29a2c52c80603195f9815ba719ab023b

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    • Xloader Payload

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks