General
-
Target
PO81105083.xlsx
-
Size
2.2MB
-
Sample
210121-d6kt1q6w96
-
MD5
9797bc6c5ce33a7cc291dd48899c0f92
-
SHA1
2c19029d4a5207aeb0dd73bb8b00adc4d17c9b40
-
SHA256
5fd2f87cfb199fdc7d2f870e6e0cd276a132d1f034f48fbc54d97149117b13f2
-
SHA512
4681140bba76c793fbe2d0d2a85fafc766d4579c1f26aca8bb4cb5566335b39677669fda9a87c26ebd4399b143580e5a96667d0d8e8dba03f98be22887632be6
Static task
static1
Behavioral task
behavioral1
Sample
PO81105083.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
PO81105083.xlsx
Resource
win10v20201028
Malware Config
Extracted
formbook
http://www.chuanxingtong.com/j5an/
xwwgj.com
release-paypal.com
investorshighway.com
maglex.info
chenangopistolpermit.com
thebihareye.com
sanjosemasks.com
foremanmotors.com
stadtstreicherin.com
9247pf.com
erenvincplatform.xyz
cushcaps.com
flatisteam.com
kojyouibennto.com
rahmatsuparman.com
vallyfades.online
metropitstop.com
shopasha.com
windycitycreditsolutions.com
uproxysite.com
californiabilling.com
theexgirlfriendpics.com
arnoldnaturalresources.com
gfeets.com
streamelemeants.com
academiadacocriacao.com
nselife.com
maratinsaat.info
deviurg.com
mrbalumba.com
joyfinancialservices.com
retriever-home.com
paydayonlineloanapplication.com
dchasers.net
mct.ltd
geisshaven.com
mdejgqbp.icu
mercifulhandshc.com
bmtxm.com
aulbalu.com
globuswarming.com
wolfpacktowingrecovery.com
empireofconsciousness.com
yosyoshop.com
l7zexitam.xyz
lendtitle.com
charmedlifeinteriors.com
aimtopshop.com
teramareprime.com
muenker.world
just-embrace.com
amazon-co-jp.world
fsjinhua.net
lungi.cloud
mysinglecam.com
hortenserolland.com
grouptripinsurance.com
aspiringeyephotos.com
shoesiin.com
oodi.club
shakhriyarmamedyarov.com
musiklotteriet.com
germanystablecoin.com
land-il.com
Targets
-
-
Target
PO81105083.xlsx
-
Size
2.2MB
-
MD5
9797bc6c5ce33a7cc291dd48899c0f92
-
SHA1
2c19029d4a5207aeb0dd73bb8b00adc4d17c9b40
-
SHA256
5fd2f87cfb199fdc7d2f870e6e0cd276a132d1f034f48fbc54d97149117b13f2
-
SHA512
4681140bba76c793fbe2d0d2a85fafc766d4579c1f26aca8bb4cb5566335b39677669fda9a87c26ebd4399b143580e5a96667d0d8e8dba03f98be22887632be6
-
Xloader Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-