Overview

overview

10

Static

static

10

Payment_advice.docx

windows7_x64

10

Payment_advice.docx

windows10-2004_x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Payment_advice.docx

  • Size

    10KB

  • Sample

    220712-pwrh1saefq

  • MD5

    545f1299fa1187bb19194b9357974d16

  • SHA1

    41b263450391a0b5d93b4839a8cc2447a2bad77d

  • SHA256

    6f829bc15bf5d762698ea44e8ad719e80c35206e7f9d218964fde51535ce4b11

  • SHA512

    761497d6044f493ccc9a03d869ac4023a94df4671abd54f781c454a77c5c96675db8ff4e16ea038c3fcafc9ab1fdfe98869b05b99525d0bbafa9003819ab8839

Score
10/10
xloaderv4qploaderratsuricatawebsettings

Malware Config

Extracted

Rule
Microsoft Office WebSettings Relationship
C2

https://a-lynk.com/dlwZZ

Extracted

Family

xloader

Version

2.9

Campaign

v4qp

Decoy

je1XQKU1LfJPVLk=

nvf41a7FsTLs6uB/g+CR

U7mryF6DctZn6GEjr9Bm4g==

1SONGrPdh7wGEOXp3g==

2xX859r7qOFq7GYkr9Bm4g==

IYtzVUx0Oo0HmZawLQAARDvBf4dL

NH3iuBPNSzZTvpw/4KaG

rDehfiqIPbdMBS8G1g==

xhb2uJ0eBwo7k3djqxh60xoNt4VoeQ==

AFtKux3JgPGRkx3xUsciR6piSg==

m+3VoJadWcBvOAPpzKUNPoAxyplS

1DWKULdka3mxIKhEqGxQr7gxyplS

DGlFGBqWi5CtrCX9alyTuPzq

muvVM4slyTfxORwAZisVksCM78aSEVo=

D3biNgUbyg9E5pl+

/+1QLPssvl/Xxg==

I4lzTjaAcc1iBS8G1g==

wSwc4MmbShojhlZCrniTuPzq

jN5YO6ZXSfJPVLk=

4TUS4+ANuqHCRTM9sniTuPzq

Targets

    • Target

      Payment_advice.docx

    • Size

      10KB

    • MD5

      545f1299fa1187bb19194b9357974d16

    • SHA1

      41b263450391a0b5d93b4839a8cc2447a2bad77d

    • SHA256

      6f829bc15bf5d762698ea44e8ad719e80c35206e7f9d218964fde51535ce4b11

    • SHA512

      761497d6044f493ccc9a03d869ac4023a94df4671abd54f781c454a77c5c96675db8ff4e16ea038c3fcafc9ab1fdfe98869b05b99525d0bbafa9003819ab8839

    Score
    10/10
    xloaderv4qploaderratsuricata

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

      suricata

    • Xloader payload

      rat

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Abuses OpenXML format to download file from external location

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks