General
-
Target
ecb02fbc_by_Libranalysis
-
Size
10KB
-
Sample
210520-gn6h1jp8d6
-
MD5
ecb02fbc03e5081a20ee10b35eb1efe8
-
SHA1
d41872cf3b63ef4b2292c3aed946e8515d2b9dda
-
SHA256
ff71526ee8d92ee36f36e5daa68bfc81e64a71931b2baf14b350a38d25ac5f10
-
SHA512
cc23a244487612e9c317e4b9d07b73e1315f25257aa60f6b9bb84bc9dbf3c4c16e59e561a0301c3dd4376a314abde733f212d43fde0c2c924e047a8b1ac65e2f
Malware Config
Extracted
http://wordfiletransfertocustomer.mangospot.net/-.......................................-.........................-/...........................................wbk
Extracted
xloader
2.3
http://www.yuanyouwang.com/njhr/
kyyx666.com
chicasgunsboutique.com
effectivevip.com
xvideoapps.com
mythree-informationupdates.com
concrete-cleaners.com
zxywxmr.com
runreach.com
khoemanh.club
basecampmedics.com
alloneart.com
thepeoplesgauntlet.com
pinkinomanbeauty.com
level60media.com
master.recipes
acadlearning.com
1001voltas.com
bakegeeks.com
fontaine-escargots.com
lushlobes.net
Targets
-
-
Target
ecb02fbc_by_Libranalysis
-
Size
10KB
-
MD5
ecb02fbc03e5081a20ee10b35eb1efe8
-
SHA1
d41872cf3b63ef4b2292c3aed946e8515d2b9dda
-
SHA256
ff71526ee8d92ee36f36e5daa68bfc81e64a71931b2baf14b350a38d25ac5f10
-
SHA512
cc23a244487612e9c317e4b9d07b73e1315f25257aa60f6b9bb84bc9dbf3c4c16e59e561a0301c3dd4376a314abde733f212d43fde0c2c924e047a8b1ac65e2f
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-