General
-
Target
PO20210503.docx
-
Size
10KB
-
Sample
210503-rnml6bdmwx
-
MD5
01efad1d21685954881771187b7c89a3
-
SHA1
27a25eb720a4463bc31ce42d344cb42e634c3ef8
-
SHA256
43b70d6f8bd360f7ad9bcb4f9f0bd70adbab27a733d27ec320168e1a127d8481
-
SHA512
80e44521033828bcd8943870d751139ae76b38e2d02f3dce8ac56df322c2ebc70d92fb8036850be373e8f0e23c4649a3b774523a3431cf59888a42e2c5e1e955
Static task
static1
Behavioral task
behavioral1
Sample
PO20210503.docx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PO20210503.docx
Resource
win10v20210410
Malware Config
Extracted
http://will.kasraz.com/a/d.dot
Extracted
xloader
2.3
http://www.cats16.com/8u3b/
pipienta.com
wisdomfest.net
jenniferreich.com
bigcanoehomesforless.com
kayandbernard.com
offerbuildingsecrets.com
benleefoto.com
contactlesssoftware.tech
statenislandplumbing.info
lifestylemedicineservices.com
blazerplanning.com
fnatic-skins.club
effectivemarketinginc.com
babyshopit.com
2000deal.com
k12paymentcemter.com
spwakd.com
lesreponses.com
abundando.com
hawkspremierfhc.com
midwestmadeclothing.com
kamuakuinisiapa.com
swirlingheadjewelry.com
donelys.com
stiloksero.com
hoangphucsolar.com
gb-contracting.com
girlboyfriends.com
decadejam.com
glassfullcoffee.com
todoparaconstruccion.com
anygivenrunday.com
newgalaxyindia.com
dahlonegaforless.com
blue-light.tech
web-evo.com
armmotive.com
mollysmulligan.com
penislandbrewer.com
wgrimao.com
dxm-int.net
sarmaayagroup.com
timbraunmusician.com
amazoncovid19tracer.com
peaknband.com
pyqxlz.com
palomachurch.com
surfboardwarehouse.net
burundiacademyst.com
pltcoin.com
workinglifestyle.com
vickybowskill.com
ottawahomevalues.info
jtrainterrain.com
francescoiocca.com
metallitypiercing.com
lashsavings.com
discjockeydelraybeach.com
indicraftsvilla.com
tbq.xyz
arfjkacsgatfzbazpdth.com
appsend.online
cunerier.com
orospucocuguatmaca.com
Targets
-
-
Target
PO20210503.docx
-
Size
10KB
-
MD5
01efad1d21685954881771187b7c89a3
-
SHA1
27a25eb720a4463bc31ce42d344cb42e634c3ef8
-
SHA256
43b70d6f8bd360f7ad9bcb4f9f0bd70adbab27a733d27ec320168e1a127d8481
-
SHA512
80e44521033828bcd8943870d751139ae76b38e2d02f3dce8ac56df322c2ebc70d92fb8036850be373e8f0e23c4649a3b774523a3431cf59888a42e2c5e1e955
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-