General
-
Target
ORDER -ASLF1SR00116-PDF.doc
-
Size
1.9MB
-
Sample
210727-1dpwkfw6pe
-
MD5
0c0b60565c79f37d0e1d15b3b2013fc4
-
SHA1
efcb55212302d0711069bdca97897b45f739358a
-
SHA256
555467cb88d23529540d6d644cbd1862cf04a728d783b0f908457c073d5d5316
-
SHA512
62b4b6f704798d1b9b5ebd88d2ed26ff46c86d5cc4564aab75fad18a7ed226387b923026366a82fc2d4ce8fd8d5fb82332ed4a6f85ccba351d669ea8d2fcacfa
Static task
static1
Behavioral task
behavioral1
Sample
ORDER -ASLF1SR00116-PDF.doc
Resource
win7v20210408
Behavioral task
behavioral2
Sample
ORDER -ASLF1SR00116-PDF.doc
Resource
win10v20210408
Malware Config
Extracted
xloader
2.3
http://www.yummylipz.net/b8eu/
ppslide.com
savorysinsation.com
camilaediego2021.com
rstrunk.net
xianshikanxiyang.club
1borefruit.com
ay-danil.club
xamangxcoax.club
waltonunderwood.com
laurabissell.com
laurawmorrow.com
albamauto.net
usamlb.com
theoyays.com
freeitproject.com
jijiservice.com
ukcarpetclean.com
wc399.com
xn--pskrtmebeton-dlbc.online
exclusivemerchantsolutions.com
kkkc5.com
kakashis.club
minldsrvlceacvtlvty.net
tucantec.com
dreamlivehope.com
tayruaeco.com
wgaoutdoors.com
obersrock.com
notosickness.com
carporttube.com
customcbdgroup.com
vincentstreetdental.site
fidatosas.com
soft-drill.com
thelearningcountscompany.com
brateix.info
sexting-sites.com
wheredidmystokego.com
alorve.com
cataractmeds.com
purhenna.com
slicesystem.com
xn--v4q8fq9ps1clx5d774b.com
tuffysfight.com
dongtaykethop.cloud
thedesertwellness.com
maxridetubes.com
jungbo33.xyz
rokitrevs.com
fsoinc.com
bartelmefamily.com
greenresearch.farm
wws520.com
scoutandstellar.com
therachelfrankshow.com
rastrosomostodos.com
jqxfinance.com
escortsoslo.com
ocd-diesel.com
domainedelafrouardiere.com
9adamtech.com
omniheating.com
dpymenus.com
sellingonlineschool.com
Targets
-
-
Target
ORDER -ASLF1SR00116-PDF.doc
-
Size
1.9MB
-
MD5
0c0b60565c79f37d0e1d15b3b2013fc4
-
SHA1
efcb55212302d0711069bdca97897b45f739358a
-
SHA256
555467cb88d23529540d6d644cbd1862cf04a728d783b0f908457c073d5d5316
-
SHA512
62b4b6f704798d1b9b5ebd88d2ed26ff46c86d5cc4564aab75fad18a7ed226387b923026366a82fc2d4ce8fd8d5fb82332ed4a6f85ccba351d669ea8d2fcacfa
-
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext
-