General
-
Target
Profoma Invoice.doc.zip
-
Size
450KB
-
Sample
210922-em9ccsdgdn
-
MD5
bf298b03f15074ccc248a0ad33fc4c27
-
SHA1
86f7332862faa87f1cc4c532980b2683ca958553
-
SHA256
67dc8a7809969daae173568204d468ae93d0985a8fc2b0caafebc30be43cc110
-
SHA512
7143208110219c3670079a61ee70f9e2b7e98d5e0a37d4c7f640b7ef30b61434edfa3625b1c7d2cac402c7ecc93fbf8462467d8ff436d6fc6bd9768c3ce63b8a
Static task
static1
Behavioral task
behavioral1
Sample
Profoma Invoice.doc.exe
Resource
win7v20210408
Malware Config
Extracted
xloader
2.5
c2ue
http://www.heidevelop.xyz/c2ue/
isportdata.com
stellarex.energy
hsucollections.com
menuhaisan.com
joe-tzu.com
lumichargemktg.com
uae.tires
rapidcae.com
softwaresystemsolutions.com
s-galaxy.website
daewon-talks.net
northgamesnetwork.com
catalogue-bouyguestele.com
criativanet.com
theseasonalshift.com
actionfoto.online
openmaildoe.com
trashpenguin.com
ennopure.net
azurermine.com
wingkingtong.com
innovativepropsolutions.com
transportesajusco.online
rosenblasts.info
ttsports.store
servpix.com
liveatthebiltmore.com
magentautil.com
aquolly.com
collabsales.com
bredaslo.com
suddisaddu.com
www920011a.com
uudh.info
bleuexpress.com
xivuko.com
upstatehvacpros.com
acami.art
thqahql.com
mauzabe.com
mydrones.net
franciseshun.com
nrrpri.com
adndpanel.xyz
straightcorndinner.xyz
locngrip.com
wgylab.xyz
greenmamba100.com
dmglobalconsult.net
alissanoume.xyz
thecallresources.com
spacesuperslot.com
goodiste.com
mensaheating.xyz
blackbait6.com
keepkalmm.com
kodyhughesracing.com
semantikgis.com
saffoldstrucking.com
ingb.online
popcert.com
tpsynergylab.com
acnefreerx.com
why1314.xyz
Targets
-
-
Target
Profoma Invoice.doc.exe
-
Size
992KB
-
MD5
4f25ed58038558b2e83f18896b245791
-
SHA1
80be9861fa9f10581fc77e0c4a1405dd5042365d
-
SHA256
03b8b680955c5827b5f80ace4afb923c2a5714cbe1b9ca579ab6f197b8826bc6
-
SHA512
8e586af0f9214b59075811bb15779ef7460e436c18c1995c70d3aafb3c6cb4d5def9671ae829df49d294588845f34e997b9b293366f289b3c7f782b55aa6dd63
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Deletes itself
-
Suspicious use of SetThreadContext
-