General
-
Target
debit.xlsx
-
Size
590KB
-
Sample
210918-t4s42acchl
-
MD5
c619f3739311f1dea34c1d0f4af2e6ff
-
SHA1
da2b62c78132a091d139c000fe1b47a46233c2e7
-
SHA256
8a0793b266dc3872fed04443f61c057e82c332081139106ddb72a6812e72ab02
-
SHA512
d616f27317b333ac674bacbd87840fa8761c1af033ed49130381fe6feb8a3216e4bac0cb96779977757352965afb35d0d9ddc820831423178d8f3ac2fb820dcf
Static task
static1
Behavioral task
behavioral1
Sample
debit.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
debit.xlsx
Resource
win10v20210408
Malware Config
Extracted
xloader
2.4
uytf
http://www.fasilitatortoefl.com/uytf/
estherestates.online
babyballetwigan.com
ignorantrough.xyz
moominmamalog.com
pasticcerialemmi.com
orangstyle.com
oldwaterfordfarm.com
aiiqiuwnsas.com
youindependents.com
runbank.net
phytolipshine.com
almedmedicalcenter.com
czxzsa.com
yummyblockparty.com
gadgetinfo.info
cloudfolderplayer.com
chowding.com
xn--tarzmbu-ufb.com
danielaasab.com
dreampropertiesluxury.com
itsready.support
freepoeople.com
richesosity.online
covidbrainfogsyndrome.com
hide.osaka
fitotec.net
cdfdwj.com
vjr.realestate
knowit.today
sellhomefastinorlando.com
permacademy.net
andhraadvocates.com
rochainrevsry.xyz
casino-virtuali.net
liptondesignstudio.xyz
keyinternationals.com
gamifibase.com
atjehtimur.com
hobonickelsvillarrubia.com
johnharrisagent.com
preabsorb.xyz
likevietsub38.com
getrichandsavetheworld.com
livelife2dance.com
juesparza.com
buffalocreekdesign.com
diegos.xyz
covidforensicaudit.com
popitperu.com
gczvahqeg.site
aspireship.tech
freedomforfarmedrabbits.online
pasalsacongress.com
custommetalimagery.photography
managementcoachinginc.com
hxysjkj.com
trusticoin.biz
wireconnectaz.tech
yoiseikatsu.net
slggroups.com
curiousmug.com
svetarielt.site
nongormart.com
btt5204.com
Targets
-
-
Target
debit.xlsx
-
Size
590KB
-
MD5
c619f3739311f1dea34c1d0f4af2e6ff
-
SHA1
da2b62c78132a091d139c000fe1b47a46233c2e7
-
SHA256
8a0793b266dc3872fed04443f61c057e82c332081139106ddb72a6812e72ab02
-
SHA512
d616f27317b333ac674bacbd87840fa8761c1af033ed49130381fe6feb8a3216e4bac0cb96779977757352965afb35d0d9ddc820831423178d8f3ac2fb820dcf
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-