Overview

overview

10

Static

static

Nuevo_orden.xls

windows7-x64

10

Nuevo_orden.xls

windows10-2004-x64

1

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Nuevo_orden.xls

  • Size

    1.4MB

  • Sample

    221208-m19t2scf9z

  • MD5

    3ec6082c0c3d4230f50fb5492fca4ce5

  • SHA1

    7785a87183386d911ef22ef01f56a124d5bbb4ed

  • SHA256

    fdd33a137aa5e4b3a1b1268297372067e246a8c0d9a812fb691a2d685444308d

  • SHA512

    09dca1b64c7f43f6855f530462079213ab8ae14f6eb4e70720d236c0ff7407ebd144880ad3f230f6f3c727866377fa75622baf2db476f7270e3ff8110bde516a

  • SSDEEP

    24576:nzxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXD+m/Vr5XXXXXXXXXXXXUXXXXXXXrXXXx:I0S/XpWUe

Score
10/10
formbookxloaderctaploaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

ctap

Decoy

7fuiHU5O7pBugItrXtDlRbQzVNAypQ==

Ioe4Ezkvrkk5SljtGsXC

7SdYmzWqxYzoB10eYg==

87z12VKpqmy0nXHtGsXC

frPRoZR38nhTXl/tGsXC

JybcU3xwAWn21yEPd4XnKA==

B6LTKeV3SeQZAg==

9iFOJSEVtE+I6ea4tn6M72ANGm3K

bROuHdVCVl63QIZuI2etey+ugP0=

25FDh/Be3fhaReK+BwZm9aY+og==

ipYbazKawI7oB10eYg==

Y3ONgI2GHcStmm5WhEZCsE/GlNJovg==

NMjp1U2zzpPoB10eYg==

ZZOygHxoGkBxNTz1RnI=

Hy1dkswBcyQh

94qXZbB1+8ciD4Q=

JUhyQ8Fxl+4gBA==

7wuj4eTJFutgR7+k1R8mIA==

Nj3QJ1RBulY2AMS/1R8mIA==

LjFXk8zI5vgdq8N6ropiNA==

Extracted

Family

xloader

Version

3.Æ…

Campaign

ctap

Decoy

7fuiHU5O7pBugItrXtDlRbQzVNAypQ==

Ioe4Ezkvrkk5SljtGsXC

7SdYmzWqxYzoB10eYg==

87z12VKpqmy0nXHtGsXC

frPRoZR38nhTXl/tGsXC

JybcU3xwAWn21yEPd4XnKA==

B6LTKeV3SeQZAg==

9iFOJSEVtE+I6ea4tn6M72ANGm3K

bROuHdVCVl63QIZuI2etey+ugP0=

25FDh/Be3fhaReK+BwZm9aY+og==

ipYbazKawI7oB10eYg==

Y3ONgI2GHcStmm5WhEZCsE/GlNJovg==

NMjp1U2zzpPoB10eYg==

ZZOygHxoGkBxNTz1RnI=

Hy1dkswBcyQh

94qXZbB1+8ciD4Q=

JUhyQ8Fxl+4gBA==

7wuj4eTJFutgR7+k1R8mIA==

Nj3QJ1RBulY2AMS/1R8mIA==

LjFXk8zI5vgdq8N6ropiNA==

Targets

    • Target

      Nuevo_orden.xls

    • Size

      1.4MB

    • MD5

      3ec6082c0c3d4230f50fb5492fca4ce5

    • SHA1

      7785a87183386d911ef22ef01f56a124d5bbb4ed

    • SHA256

      fdd33a137aa5e4b3a1b1268297372067e246a8c0d9a812fb691a2d685444308d

    • SHA512

      09dca1b64c7f43f6855f530462079213ab8ae14f6eb4e70720d236c0ff7407ebd144880ad3f230f6f3c727866377fa75622baf2db476f7270e3ff8110bde516a

    • SSDEEP

      24576:nzxXXXXXXXXXXXXUXXXXXXXXXXXXXXXXD+m/Vr5XXXXXXXXXXXXUXXXXXXXrXXXx:I0S/XpWUe

    Score
    10/10
    formbookxloaderctaploaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Scripting

1
T1064

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks