General
-
Target
PO_KIND122822_.xlsx
-
Size
1.3MB
-
Sample
210824-hcl2pjvgas
-
MD5
302a2edb81d9e753217958ee2eccb691
-
SHA1
54fc8ec70f01fd8b5576b24ee98e11c55a50bbe6
-
SHA256
cc9ff3d7e92b4cd7b0a1abea6429d243b185d0f9d52d184ce91a34cb0c7a9ed8
-
SHA512
f5cbd28965bfd3909d8b86f78f32be510bee2daac7d35593881694c7eb0276d42e9072e2875f4b66f44c4b9332e30ec513d5b8e677d69d9be8ddf28aca4d8910
Static task
static1
Behavioral task
behavioral1
Sample
PO_KIND122822_.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
PO_KIND122822_.xlsx
Resource
win10v20210408
Malware Config
Extracted
xloader
2.3
n8ba
http://www.narrowpathwc.com/n8ba/
thefitflect.com
anytourist.com
blggz.xyz
ascope.club
obyeboss.com
braun-mathematik.online
mtsnurulislamsby.com
jwpropertiestn.com
animalds.com
cunerier.com
sillysocklife.com
shopliyonamaaghin.net
theredcymbalsco.com
lostbikeproject.com
ryggoqlmga.club
realestatetriggers.com
luvlauricephotography.com
cheesehome.cloud
5fashionfix.net
wata-6-rwem.net
ominvestment.net
rrinuwsq643do2.xyz
teamtacozzzz.com
newjerseyreosales.com
theresahovo.com
wowmovies.today
77k6tgikpbs39.net
americagoldenwheels.com
digitaladbasket.com
gcagame.com
arielatkins.net
2020coaches.com
effthisshit.com
nycabl.com
fbvanminh.com
lovebirdsgifts.com
anxietyxpill.com
recaptcha-lnc.com
aprendelspr.com
expatinsur.com
backtothesimplethings.com
pcf-it.services
wintonplaceoh.com
designermotherhood.com
naamt.com
lifestylebykendra.com
thehighstatusemporium.com
oneninelacrosse.com
mariasmoworldwide.com
kitesurf-piraten.net
atelierbond.com
mynjelderlaw.com
moucopia.com
hauhome.club
imroundtable.com
thralink.com
baoequities.com
nassy.cloud
goldenstatelabradoodles.com
revenueremedyintensive.com
dfendglobal.com
pugliaandgastronomy.com
cypios.net
trinioware.com
Targets
-
-
Target
PO_KIND122822_.xlsx
-
Size
1.3MB
-
MD5
302a2edb81d9e753217958ee2eccb691
-
SHA1
54fc8ec70f01fd8b5576b24ee98e11c55a50bbe6
-
SHA256
cc9ff3d7e92b4cd7b0a1abea6429d243b185d0f9d52d184ce91a34cb0c7a9ed8
-
SHA512
f5cbd28965bfd3909d8b86f78f32be510bee2daac7d35593881694c7eb0276d42e9072e2875f4b66f44c4b9332e30ec513d5b8e677d69d9be8ddf28aca4d8910
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-