General
-
Target
PO81105083.xlsx
-
Size
2.2MB
-
Sample
210121-d6kt1q6w96
-
MD5
9797bc6c5ce33a7cc291dd48899c0f92
-
SHA1
2c19029d4a5207aeb0dd73bb8b00adc4d17c9b40
-
SHA256
5fd2f87cfb199fdc7d2f870e6e0cd276a132d1f034f48fbc54d97149117b13f2
-
SHA512
4681140bba76c793fbe2d0d2a85fafc766d4579c1f26aca8bb4cb5566335b39677669fda9a87c26ebd4399b143580e5a96667d0d8e8dba03f98be22887632be6
Malware Config
Extracted
formbook
http://www.chuanxingtong.com/j5an/
xwwgj.com
release-paypal.com
investorshighway.com
maglex.info
chenangopistolpermit.com
thebihareye.com
sanjosemasks.com
foremanmotors.com
stadtstreicherin.com
9247pf.com
erenvincplatform.xyz
cushcaps.com
flatisteam.com
kojyouibennto.com
rahmatsuparman.com
vallyfades.online
metropitstop.com
shopasha.com
windycitycreditsolutions.com
uproxysite.com
Targets
-
-
Target
PO81105083.xlsx
-
Size
2.2MB
-
MD5
9797bc6c5ce33a7cc291dd48899c0f92
-
SHA1
2c19029d4a5207aeb0dd73bb8b00adc4d17c9b40
-
SHA256
5fd2f87cfb199fdc7d2f870e6e0cd276a132d1f034f48fbc54d97149117b13f2
-
SHA512
4681140bba76c793fbe2d0d2a85fafc766d4579c1f26aca8bb4cb5566335b39677669fda9a87c26ebd4399b143580e5a96667d0d8e8dba03f98be22887632be6
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-