General
-
Target
Copia_de_pago_12_03.xlsm
-
Size
197KB
-
Sample
210312-5d3mrbpb6s
-
MD5
b5192b8607edf0e0d159f5510576cf24
-
SHA1
ea830c1f6a158b362cdfd7a1c9ac250efe2143bf
-
SHA256
03e7588bbb5ace7f22485dee84bf149aa8129504b19b3727bf24ae8b1afd506c
-
SHA512
3d5548ddb32670faf5df4a5a74c8c766268990c9cd4edafe41b739f352beb0c9927b89abefdc248a65f1f224622d8681d6ba85468331831ca7e0a519e642b4c4
Static task
static1
Behavioral task
behavioral1
Sample
Copia_de_pago_12_03.xlsm
Resource
win7v20201028
Malware Config
Extracted
xloader
http://www.basiclablife.com/8zdn/
yourherogarden.net
onlineharambee.net
cerrajeriaurgencias24horas.com
distritoforex.com
verifyclientserverssr.com
dandwg.com
co2-zero.global
joshssl.com
meckwt.com
theammf.com
rawclectic.com
gzgnetwork.com
richmondavenuecoc.com
nicolelyte.com
thetinyclosetboutique.com
llt-group.net
seven-sky-design.com
joganifinancialgrp.com
elementsvapes.com
bingent.info
quaichshop.net
unethicalsgsblaw.com
matts.digital
lexafit.com
covidwanderings.com
pk972.com
fanashaadivine.com
winharadesigns.com
adosignite.com
goldengatesimmigration.com
unazampanelcuore.com
gasexecutive.com
sdps365.net
worthingtonminnesota.com
ducatsupply.com
beijinghui1.icu
hn-bet.com
homeforsalesteamboat.com
tiaozaoxinlingshou.net
mrbils.net
depuitycollector.com
winningovereating.com
usedonlyrvs.com
verbinoz.com
threepocketmedia.com
lizbing.com
fivestardogfoods.com
edevercal.net
irisettelment.com
beautyphernalia.com
terrawindglobalprotection.net
floridaindian.com
kidzistore.com
kulisbet117.com
logingatech.info
ftdk.net
lawwise.legal
bruthawar.com
lemonpublishing.com
6781529.com
zfxsotc.com
shroomsdrop.com
ahm-app.com
finesilversmith.com
Targets
-
-
Target
Copia_de_pago_12_03.xlsm
-
Size
197KB
-
MD5
b5192b8607edf0e0d159f5510576cf24
-
SHA1
ea830c1f6a158b362cdfd7a1c9ac250efe2143bf
-
SHA256
03e7588bbb5ace7f22485dee84bf149aa8129504b19b3727bf24ae8b1afd506c
-
SHA512
3d5548ddb32670faf5df4a5a74c8c766268990c9cd4edafe41b739f352beb0c9927b89abefdc248a65f1f224622d8681d6ba85468331831ca7e0a519e642b4c4
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Xloader Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-