Overview

overview

10

Static

static

neworder.xlsx

windows7_x64

10

neworder.xlsx

windows10-2004_x64

1

decrypted.xlsx

windows7_x64

10

decrypted.xlsx

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    neworder.xlsx

  • Size

    70KB

  • Sample

    220627-jm5rdshffm

  • MD5

    d9f48130841dc73037b0f62f746541fc

  • SHA1

    c0a72723ecaa8946b20e83b351103e4d3736f818

  • SHA256

    a18777061d67e2f6d34ff05d90d39171058c0c4a609c8cb2fbc86cf13c730740

  • SHA512

    8ae9a035928b991027195950fe2d38d1200d7728fbbd900a40a37161171bb54b577a9a191396ec255d3048a94d9c689c14f7773d85df2d5883a6febc6fe1c294

Score
10/10
xloadervweqloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

vweq

Decoy

malang-media.com

mrsfence.com

lubetops.com

aitimedia.net

montecryptocapital.com

ahwmedia.com

bvmnc.site

bggearstore.com

bcsantacoloma.online

alltimephotography.com

santacruz-roofings.com

leaplifestyleenterprises.com

censovet.com

similkameenfarms.com

undisclosed.email

thetrinityco.com

rapiturs.com

jedlersdorf.info

mh7jk12e.xyz

flygurlblogwordpress.com

Targets

    • Target

      neworder.xlsx

    • Size

      70KB

    • MD5

      d9f48130841dc73037b0f62f746541fc

    • SHA1

      c0a72723ecaa8946b20e83b351103e4d3736f818

    • SHA256

      a18777061d67e2f6d34ff05d90d39171058c0c4a609c8cb2fbc86cf13c730740

    • SHA512

      8ae9a035928b991027195950fe2d38d1200d7728fbbd900a40a37161171bb54b577a9a191396ec255d3048a94d9c689c14f7773d85df2d5883a6febc6fe1c294

    Score
    10/10
    xloadervweqloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      decrypted

    • Size

      65KB

    • MD5

      8f9618a7aa42db05bc62579df02745ef

    • SHA1

      11b9c0f4a6597d9ff11c43dd3aa5f78ca8241540

    • SHA256

      5f170dae688af1256a837d10fb1051d3de21691a8290cc943a1e54f93a53f746

    • SHA512

      41e671151ede9c8dafcd0974aea97252ef7cf7c8d36d3129048cc8d6a32c90c45ab6b45b8988e75bc74cb341f5e25e5b9bf6874c49eb0959b8796c64b67107a6

    Score
    10/10
    xloadervweqloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

2
T1064

Exploitation for Client Execution

2
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

2
T1064

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks