General
-
Target
COAU7229898130.xlsx
-
Size
2.5MB
-
Sample
210305-qgdk85s8hn
-
MD5
a3292b86bcd4841e80f76ba7f198092a
-
SHA1
be33b9d9895cdb2c2cec310a9915bac27dfe8ec1
-
SHA256
2f3d395aa18539ff6e1a6046de332d246375ceec143cdc37b5122ab09dad4531
-
SHA512
d04d1e676d4a22a99a98e05fbcfb21b33b2b1b4640be970ee4a4170c8ebce9b217cc3b1621489b012eef8e2c9c338ef8b6703163dd68a729fb6f7789b8e52136
Static task
static1
Behavioral task
behavioral1
Sample
COAU7229898130.xlsx
Resource
win7v20201028
Behavioral task
behavioral2
Sample
COAU7229898130.xlsx
Resource
win10v20201028
Malware Config
Extracted
xloader
http://www.fountainhead410.com/jzvu/
rezabird.com
amthebomb.com
cqfsc.net
scottgesslerdesign.com
australianhempco.com
digitalkn.com
theoneandonlytattoostudio.com
chaing-list.xyz
technicaljanu.com
tigerkid.net
mels.ink
adassadelacruz.com
deep-freezers.xyz
kundanbangles.com
88840678.com
xiaonaphotography.online
john-heer-stuttgart.com
gumrukihalesi.com
veekasdoshi.com
purathanam.com
thekeycrewshop.com
spinningx.com
icommercehotel.com
ketodietforall.com
vanmarina.com
premierenterpriserealty.com
standingrockcellars.com
cnhongzu.com
yewanfuli.com
kurdishtranslate.com
fionafrenchic.com
reachstudiokenya.com
neutrem.com
continentalhrservices.com
xyfs360.com
phone-avail27.club
funkyoufridays.net
paypalticket5396170.info
intlbazar.com
theflesolay.com
maquinagsmlb.net
treasureislandhunt.com
mehmederdas.com
hayalimofen.net
suspicy.com
beaufortgardenparty.com
sunkistplumbing.com
6116merrittdrive.com
ezbuydomain.com
maxicreamheladeriafruteria.com
butikfitrah.com
texasairwaydentist.net
hayatbirliktekolay.com
disinfectmylawofficeindy.com
hippopotames-consultants.com
sonicrings.net
itsukayamamura.com
shfhm.com
xiaoshuxiongvip.com
g-stone.art
hinjt-niyp.xyz
amarisworstell.com
theneverendingbedtimestory.com
vestnets.net
Targets
-
-
Target
COAU7229898130.xlsx
-
Size
2.5MB
-
MD5
a3292b86bcd4841e80f76ba7f198092a
-
SHA1
be33b9d9895cdb2c2cec310a9915bac27dfe8ec1
-
SHA256
2f3d395aa18539ff6e1a6046de332d246375ceec143cdc37b5122ab09dad4531
-
SHA512
d04d1e676d4a22a99a98e05fbcfb21b33b2b1b4640be970ee4a4170c8ebce9b217cc3b1621489b012eef8e2c9c338ef8b6703163dd68a729fb6f7789b8e52136
-
Xloader Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-