General
-
Target
PO0495858558585_JAN2021.xlsx
-
Size
2.3MB
-
Sample
210120-kdhbelcqln
-
MD5
f2cbf4c0b32a85ea9649cdb8cd06c828
-
SHA1
067de878fef186f7e21cde3864078a918f2866a4
-
SHA256
40b0fe398f25fea75acfff6a4d9a13c09513e355f1b35eedc3e0752f3ed24b20
-
SHA512
b8268b753c4a4e95ab879ee156ccd653b78ba97aefb445a520fe83a6674a8f32e2b9ca73ec97367082d71c15470b2ec94e326338f1d58c0e517434a8a036be46
Malware Config
Extracted
formbook
http://www.bodyfuelrtd.com/8rg4/
fakecostasunglasses.com
twinbrothers.pizza
jizhoujsp.com
qscrit.com
hotelmanise.com
fer-ua.online
europserver-simcloud.systems
redwap2.pro
betwalkoffame.com
latashalovemillionaire.com
8million-lr.com
tomatrader.com
modaluxcutabovefitness.com
shishijiazu.com
cckytx.com
reversehomeloansmiami.com
imaginenationnetwork.com
thecyclistshop.com
jorgegiljewelry.com
hlaprotiens.com
Targets
-
-
Target
PO0495858558585_JAN2021.xlsx
-
Size
2.3MB
-
MD5
f2cbf4c0b32a85ea9649cdb8cd06c828
-
SHA1
067de878fef186f7e21cde3864078a918f2866a4
-
SHA256
40b0fe398f25fea75acfff6a4d9a13c09513e355f1b35eedc3e0752f3ed24b20
-
SHA512
b8268b753c4a4e95ab879ee156ccd653b78ba97aefb445a520fe83a6674a8f32e2b9ca73ec97367082d71c15470b2ec94e326338f1d58c0e517434a8a036be46
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-