General
-
Target
SecuriteInfo.com.Exploit.RTF-ObfsStrm.Gen.675.18581
-
Size
267KB
-
Sample
210304-cw1zlhczbn
-
MD5
174339ee0b1d50af956d16c7608a787e
-
SHA1
70f7dda70f239b16afcd1e7818075237c53abbc5
-
SHA256
9e9f12d14bd6918e39116f6a1c8017ecf3cd93a37c760b67175c0332d429526e
-
SHA512
f7a7c1ff8cb032582f8695cb927e1429d8b355547b67a96dfb8834fd43e8891bd6a660c70935c910ba0ee2cb1f20a8d83bc42aab04db310b85fbadab8897527a
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Exploit.RTF-ObfsStrm.Gen.675.18581.rtf
Resource
win7v20201028
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Exploit.RTF-ObfsStrm.Gen.675.18581.rtf
Resource
win10v20201028
Malware Config
Extracted
http://bppgov.ng/gotv.exe
Extracted
xloader
http://www.pardsoda.com/w25t/
nowayinlocksmith.com
bookaprovider.com
joybirder.com
decoracerrado.com
preciousmonments.com
96kixx.com
parentseducationalco-op.com
cbdandbtc.com
santanadeliciasymas.com
finecharlottehomes.com
themanibox.com
backupasia.com
buffalodetailstore.com
iprdo.com
croce-komeko.com
bluechipsgroup.company
truyencow.com
globalism.online
oicrafts.com
naturalawakeningsprograms.com
findsurreydeltahomes.com
dressing.cat
tavazonfund.com
defichair.com
str8firekennels.com
lenskart.site
salahdinortho.com
3tothrive.com
watchsdeals.com
plethoracosmetics.net
kentland33store.com
abbaszawawi.com
resepmasakankita.info
tomschoices.net
xn--livezoty-bpb.com
sixteen3handscottages.com
elliesuesews.com
mylordismyshepherd.com
chaing-list.xyz
asesorgrupovivir.com
kicked2theothercurb.com
nemahealthcare.com
allsalesvinyl.net
crystal-beachclub.com
mprose.net
chooseone.xyz
glasgowldn2009.com
getyourquan.com
nailpolishng.com
myeunoiateacompany.com
tobaccomangalt.com
honggedichan.com
beleafagency.com
zhonghuixingyue.com
fitnessworldexample.com
skdocm.club
buygenerations.com
aressdsg.com
auberge-escotais.com
claritycleaningsystems.com
riru300.com
aserchofalltrades.com
blackholidayco.com
bookclubspeakers.com
Targets
-
-
Target
SecuriteInfo.com.Exploit.RTF-ObfsStrm.Gen.675.18581
-
Size
267KB
-
MD5
174339ee0b1d50af956d16c7608a787e
-
SHA1
70f7dda70f239b16afcd1e7818075237c53abbc5
-
SHA256
9e9f12d14bd6918e39116f6a1c8017ecf3cd93a37c760b67175c0332d429526e
-
SHA512
f7a7c1ff8cb032582f8695cb927e1429d8b355547b67a96dfb8834fd43e8891bd6a660c70935c910ba0ee2cb1f20a8d83bc42aab04db310b85fbadab8897527a
-
Xloader Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-