General
-
Target
PO0495858558585_JAN2021.xlsx
-
Size
2.3MB
-
Sample
210120-kdhbelcqln
-
MD5
f2cbf4c0b32a85ea9649cdb8cd06c828
-
SHA1
067de878fef186f7e21cde3864078a918f2866a4
-
SHA256
40b0fe398f25fea75acfff6a4d9a13c09513e355f1b35eedc3e0752f3ed24b20
-
SHA512
b8268b753c4a4e95ab879ee156ccd653b78ba97aefb445a520fe83a6674a8f32e2b9ca73ec97367082d71c15470b2ec94e326338f1d58c0e517434a8a036be46
Static task
static1
Behavioral task
behavioral1
Sample
PO0495858558585_JAN2021.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO0495858558585_JAN2021.xlsx
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.bodyfuelrtd.com/8rg4/
fakecostasunglasses.com
twinbrothers.pizza
jizhoujsp.com
qscrit.com
hotelmanise.com
fer-ua.online
europserver-simcloud.systems
redwap2.pro
betwalkoffame.com
latashalovemillionaire.com
8million-lr.com
tomatrader.com
modaluxcutabovefitness.com
shishijiazu.com
cckytx.com
reversehomeloansmiami.com
imaginenationnetwork.com
thecyclistshop.com
jorgegiljewelry.com
hlaprotiens.com
biblecourt.com
puzelhome.com
musicbychristina.com
iregentos.info
ephwehemeral.com
qubeeva.com
healingwithkarlee.com
giftasmile2day.com
ondesign03.net
argusproductionsus.com
tootleshook.com
sukien-freefire12.com
windmaske.com
futbolclubbarcelona.soccer
veteransc60.com
steambackpacktrade.info
zingnation.com
myfoodworldcup.com
playitaintso.net
crafteest.com
deutschekorrosionsschutz.net
streamcommunitty.com
gatehess.com
hechoenvegas.net
4037a.com
santanabeautycares.com
100feetpics.com
johnsroadantiques.com
improve-climbing.com
18shuwu.net
amazon-support-recovery.com
vibrarecovery.com
deskdonors.info
triagggroup.com
probysweden.com
helloinward.com
vvardown.com
kicksends.com
alwayadopt.com
modernappsllc.com
itswooby.com
med.vegas
chadwestconsulting.com
africanosworld.com
Targets
-
-
Target
PO0495858558585_JAN2021.xlsx
-
Size
2.3MB
-
MD5
f2cbf4c0b32a85ea9649cdb8cd06c828
-
SHA1
067de878fef186f7e21cde3864078a918f2866a4
-
SHA256
40b0fe398f25fea75acfff6a4d9a13c09513e355f1b35eedc3e0752f3ed24b20
-
SHA512
b8268b753c4a4e95ab879ee156ccd653b78ba97aefb445a520fe83a6674a8f32e2b9ca73ec97367082d71c15470b2ec94e326338f1d58c0e517434a8a036be46
-
Xloader Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-