xloader

General

Target

Alfa Laval Aalborg AS Overdue Invoice .xlsx
Size

69KB
Sample

220627-sfkx3scadl
MD5

600a82701077aed99add9b55a9d22408
SHA1

d548046f0ffab010399a4d77997d667c5f89a9aa
SHA256

2a20bbe8c5562c5e602ca21bf5c68433d1bf41f9e126fd3d8450c6a7ca56ffb6
SHA512

0f564cd63fae33668b45c4dce887e86834390e53b46686f1c4853973060d2c8544fdc9a2bd0ee747a1d2bbe0094380cff5d9615bc63c7c0ed2338aeba94c7c1a

Score

10^/10

Malware Config

Extracted

Family

xloader

Version

2.9

Campaign

iewb

Decoy

n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==

5vIAIY+pt81OtWs+FdIEdk7Y

LHIKc+oWGIQUUlfAAtEEdk7Y

ePM/cX2jvHrS

5hvPEw22+fdvmJz3C8FIVq0=

mb9EeX2jvHrS

Dx2zIYNvfjo8VUo5

6jVPnyJekv2RAc4gLKNwEqQ=

KWatHyjdE5Gj1Ng=

t9lk70gzUAZty4qjbVjF

6eUBeFPzKBWT125BFNIEdk7Y

dZUXOIyqTJGj1Ng=

iL3TVh2Jl5QVStnzxcAhIL8=

J1prtyklUfZGR/xDD71IbkWRd2yx

s9FgCOBRW9bU0Y6jbVjF

RYCbQDzcFBhcylgu

Fl0BV/8RJm6F9QRg8LXXTLo=

0dhumHzrCCZ3wdQg7nFF1AlL6Tk=

xvL+iL6wwX+/wH9K4lbZ/A==

N0lVceIFD5Gj1Ng=

Targets

- Target
  
  Alfa Laval Aalborg AS Overdue Invoice .xlsx
- Size
  
  69KB
- MD5
  
  600a82701077aed99add9b55a9d22408
- SHA1
  
  d548046f0ffab010399a4d77997d667c5f89a9aa
- SHA256
  
  2a20bbe8c5562c5e602ca21bf5c68433d1bf41f9e126fd3d8450c6a7ca56ffb6
- SHA512
  
  0f564cd63fae33668b45c4dce887e86834390e53b46686f1c4853973060d2c8544fdc9a2bd0ee747a1d2bbe0094380cff5d9615bc63c7c0ed2338aeba94c7c1a
Score

10^/10

xloader iewb loader rat suricata
- Xloader
  Xloader is a rebranded version of Formbook malware.
  loader xloader
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- Xloader Payload
  rat
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Abuses OpenXML format to download file from external location
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Uses the VBS compiler for execution
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  decrypted
- Size
  
  64KB
- MD5
  
  f47afe6c3e0e23c768f4cb611d98f824
- SHA1
  
  63fe705d6d6a85117f57af2431f083ba6c472eed
- SHA256
  
  57c1e1c28a5b553d08d4ab23656d014d8b2e0b071207b516f6db3dd726b575c6
- SHA512
  
  e4ee26d06dcd59a9362560972fb27f036e95e6872533679cfe1a3e643c60187af18fe63766e0bf8d89c317852ef28db6b19178bf65c0ce07681b3b941227e4ff
Score

8^/10
- Blocklisted process makes network request
- Downloads MZ/PE file
- Executes dropped EXE
- Abuses OpenXML format to download file from external location
- Loads dropped DLL
- Uses the VBS compiler for execution
behavioral3 behavioral4