General
-
Target
RPM.xlsx
-
Size
411KB
-
Sample
210927-qdr79shadr
-
MD5
eaa0090a7f7c6f995a4ff9b84410ef81
-
SHA1
82198ab187a84b7a90ae83d57bfddd3c3acaafbc
-
SHA256
a81768982216ba95346c4a6eb0a591e71ab952b187565aef82331e8bb60851ea
-
SHA512
02100c08b063fc3d96fc4a2e3d56e5af605a11567e60575e2b8290a07ce3c5bdf6a3eb4380ab81e9eb83ca9b86736dbbff0fc1c46b48d5c79078a099b97d15db
Static task
static1
Behavioral task
behavioral1
Sample
RPM.xlsx
Resource
win7v20210408
Behavioral task
behavioral2
Sample
RPM.xlsx
Resource
win10-en-20210920
Malware Config
Extracted
xloader
2.5
scb0
http://www.vetpipes.com/scb0/
introlly.com
slowtravelco.com
sasanos.com
3424soldbastrophwy.com
isabelaefernando.net
0754fm.com
meta-bot.xyz
778tt8.com
krallechols.quest
lipagent.com
dermaqueeniran.com
psychoterapeuta-wroclaw.com
marmorariapiramide.online
luxonealbery.com
floridawp.com
nebobuild.com
facillitiespro-sweep.com
wwgzj.com
puffsmoke.online
cryptofuelcars.com
mcintoshsonoystercompany.com
viscoent.online
daveparkernotary.com
publicschools.fail
traexcel.com
lovelypersonals.com
emptycc.net
omniriot.com
etsawi9.com
rangerbuddys.com
medchemic.com
paparazziprom.com
atelifer.com
imlgw.com
vaguva.com
theportlandhandyman.com
oggu2.com
fuchs-consolidated.net
onluo.com
flirtylocals.xyz
foxyladynails.com
dgyej.com
cloudmaigc.com
lafabriqueabeille.com
vivagru.com
fuckingmom88.xyz
caesarscssino.com
jyh8882.com
diyiyc.com
lanceseuexpert.digital
omshivematka.com
agrigain-soil.com
burgettflorist.com
goddarddrillingllc.com
nchh07.xyz
tabulose-paare.com
notlficationintuit.com
killercross.com
storybylightstudio.com
flex-ecommerce.com
fearlessthread.com
skateboardlovers.com
mgav34.xyz
lucanos.info
Targets
-
-
Target
RPM.xlsx
-
Size
411KB
-
MD5
eaa0090a7f7c6f995a4ff9b84410ef81
-
SHA1
82198ab187a84b7a90ae83d57bfddd3c3acaafbc
-
SHA256
a81768982216ba95346c4a6eb0a591e71ab952b187565aef82331e8bb60851ea
-
SHA512
02100c08b063fc3d96fc4a2e3d56e5af605a11567e60575e2b8290a07ce3c5bdf6a3eb4380ab81e9eb83ca9b86736dbbff0fc1c46b48d5c79078a099b97d15db
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-