Overview

overview

10

Static

static

Parapex_Ne...r.xlsx

windows7_x64

10

Parapex_Ne...r.xlsx

windows10-2004_x64

1

decrypted.xlsx

windows7_x64

10

decrypted.xlsx

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Parapex_New_Order.xlsx

  • Size

    162KB

  • Sample

    220628-l1mtvaadg6

  • MD5

    7d21038675e69d5808547b0b5a09f7e3

  • SHA1

    eb04abc7b310d4c07a8f26ddf6f307ca51614735

  • SHA256

    fbc610b29f55af9ff443232aa7737c990895c284d265173c8f0e3ef0598a3634

  • SHA512

    82212f9581dd904d20d010174db6134dd4afba063384e0e573f0034fc6b2a3cf78b552596518354edb7ed0983df0516bd301c0905d071e9d0eab046d68287997

Score
10/10
xloaderuajqloaderratsuricata

Malware Config

Extracted

Family

xloader

Version

2.6

Campaign

uajq

Decoy

pixeldoughnut.com

amadeushosting.com

sitecindustrial.com

orsaigroup.com

jmuse-dev.com

angelobreviario.com

storesafe.xyz

40veryoung.com

65228267.com

xmpanshi.com

luxorscbd.com

saoirsia.com

akwadcom.com

spreast.com

net-empresa12pcs.com

avlaoge1.com

projectmuellerllc.com

hvelv.com

a2bproject.com

myhome-huahin.com

Targets

    • Target

      Parapex_New_Order.xlsx

    • Size

      162KB

    • MD5

      7d21038675e69d5808547b0b5a09f7e3

    • SHA1

      eb04abc7b310d4c07a8f26ddf6f307ca51614735

    • SHA256

      fbc610b29f55af9ff443232aa7737c990895c284d265173c8f0e3ef0598a3634

    • SHA512

      82212f9581dd904d20d010174db6134dd4afba063384e0e573f0034fc6b2a3cf78b552596518354edb7ed0983df0516bd301c0905d071e9d0eab046d68287997

    Score
    10/10
    xloaderuajqloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      decrypted

    • Size

      156KB

    • MD5

      93e9cb066fc35d5134f314fc09d0be29

    • SHA1

      58f55fb4a02237c5891de5773c209d16df81703e

    • SHA256

      c2ef15d0c8f81c352c930b79bb64fc29f030a78b4b8db56ebf03eb14dd62dbe1

    • SHA512

      1eb7309143559d5617ff0336efa1f1b37786be2d2b2711f14aaf09518eb9411b1fbfd638366bdf26f4561e78e7d4c0aa39927493b98b43d0fa28234b391ab89c

    Score
    10/10
    xloaderuajqloaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader Payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

2
T1064

Exploitation for Client Execution

2
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

2
T1064

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

4
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks