General
-
Target
PO819938490.doc
-
Size
1.0MB
-
Sample
210727-b6mxd3d7ss
-
MD5
21b9f05eadd859677d470f1eb6d961c3
-
SHA1
de601328b24e39d14dacb60ebe53cd47cdd7adda
-
SHA256
f4d9e5ddca3444e2062f930675c49dbd3e1a73e3936b326a8edfe7090ce16b98
-
SHA512
54d800235dbf33d209b3c2d859afcc8613f92b3ddeb08d6c48cf19bb3fe037bdd416d26de62ea5e7f24b85d946bc946b93132000e7987ad4e4683b7e60c7cb55
Static task
static1
Behavioral task
behavioral1
Sample
PO819938490.doc
Resource
win7v20210410
Behavioral task
behavioral2
Sample
PO819938490.doc
Resource
win10v20210410
Malware Config
Extracted
httP://136.144.41.61/MSIuaQz91rPyszO.exe
Extracted
xloader
2.3
http://www.arogyanlife.com/b82a/
annguyet.net
parkwood.tech
readysetmortgage.net
betraywithdraw.com
incmagazine.xyz
dentistinpimplesaudagar.com
lianhx.com
prodrelease0827b.com
safehavenwellbeing.com
gehdeinweg.club
sondaggio123.space
prospecx.report
remediate.info
savylash.com
puppornstar.com
coaching-romand.com
boozeshops.com
team316media.com
ldgawydtl.icu
trezteez.com
hhtgd.com
jugoon.xyz
bsafetexting.com
imaycom.com
fakihgroups.com
pfarfour.com
organowantcreator.com
profesyoneltemizlikantalya.com
kustomdiapercakes.com
repealpna.com
seraby.com
eventsshowleads.com
naturallybossed.com
twxgbmbdkxczd.net
gahterwisdom.com
bautec-euregio.com
sarelawadisangh.com
gimedor.com
revolutionofwork.com
zpwizso.com
livinglavidalocaltexas.com
yenidea.com
smugfantasyfootball.com
myprofitvideo.com
inseparablehearts.com
dalebutano.com
bluecatsubs.com
nationwaves.com
theplantwitch.com
ffntc.com
188yyw.com
thejulington.com
timelessthots.com
homesstory.com
breauxsauto.com
quittytime.com
bainrix.com
eurofiregroup.com
paralelogram.com
nodefind.net
mastercommunications.xyz
lovelyeses.com
social-clarity.com
westvisionconsult.com
Targets
-
-
Target
PO819938490.doc
-
Size
1.0MB
-
MD5
21b9f05eadd859677d470f1eb6d961c3
-
SHA1
de601328b24e39d14dacb60ebe53cd47cdd7adda
-
SHA256
f4d9e5ddca3444e2062f930675c49dbd3e1a73e3936b326a8edfe7090ce16b98
-
SHA512
54d800235dbf33d209b3c2d859afcc8613f92b3ddeb08d6c48cf19bb3fe037bdd416d26de62ea5e7f24b85d946bc946b93132000e7987ad4e4683b7e60c7cb55
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
CustAttr .NET packer
Detects CustAttr .NET packer in memory.
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-