General
-
Target
Pre-order.xlsx
-
Size
2.2MB
-
Sample
210119-a2zqs8nyze
-
MD5
ff38cf4d7025c0a5be3d81ac520c498b
-
SHA1
2ad3bf55a7ac4c636ecdf1b703d46afd190b9525
-
SHA256
cadb48c6d6cb9a5806bb74899c4837916538e2b9257dcc0f28640cc8179fd391
-
SHA512
039351f7634ef17c18047c4f1e4fa2be2e71660f814019c014e69900f3a4fcc4c9153a1656d4e1ae15ad5203a2db5a2679922fe6716a1ccfef316b1a7217a0f9
Static task
static1
Behavioral task
behavioral1
Sample
Pre-order.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Pre-order.xlsx
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.douzhuan168.com/o8na/
www1669099.com
digitalallserv.com
thiszzzwq.info
dallasoswalt.info
ladolcefesta.com
mariamalikially.com
origenbsas.com
antichoc.watch
tropicalbirdtoys.com
bbluedotvrwdbuy.com
racevx.xyz
ut-trustandwill.com
maximumhomeoffers.com
wrapname.com
hypelighystrip.com
oshoum2020.com
parkwestmi.com
themodumall.com
tempuslawnandsnow.com
dailypromo.xyz
prebrands.com
thejoshuareport.com
coffincouturecosmetics.com
myfreshpoultry.com
vpndojo.com
ke9s.com
thediabeticsdomain.com
ukfrtff.icu
thedesertseen.com
patasasociacioncanina.com
bmw-cdsummit.com
darrelbrodkemd.com
tequilau.com
hurricanelauraclaim.net
launchangl.com
rdcwellness.com
vannityboxx.com
engage.chat
actuallyprettycosmetics.com
obluedot3dbuy.com
beaullife.com
digitalqe.com
damgarrett.com
guojiggd.com
bolder-adventure.info
seewhitefish.com
yazaerik.com
williamswalker.com
amandaemcevoy.com
pushdabutton.com
happyparentingandfamilies.com
workinghomeparents.com
patriotpointmarina.com
montserratpages.cat
marriedtwomusic.com
satjulius.com
zachthebigbear.com
pakistanread.com
bilemedim.com
prnttees.com
fxwlk.com
thepaoluccigroup.com
tompgroup.com
costadosolff.com
Targets
-
-
Target
Pre-order.xlsx
-
Size
2.2MB
-
MD5
ff38cf4d7025c0a5be3d81ac520c498b
-
SHA1
2ad3bf55a7ac4c636ecdf1b703d46afd190b9525
-
SHA256
cadb48c6d6cb9a5806bb74899c4837916538e2b9257dcc0f28640cc8179fd391
-
SHA512
039351f7634ef17c18047c4f1e4fa2be2e71660f814019c014e69900f3a4fcc4c9153a1656d4e1ae15ad5203a2db5a2679922fe6716a1ccfef316b1a7217a0f9
-
Xloader Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-