General
-
Target
462e83926aa496cb66ce6ad34c0011ce656960e5.xlsm
-
Size
10KB
-
Sample
211011-nh3tfshac3
-
MD5
11021fe891f0ebd39cfa80d8866b40d7
-
SHA1
462e83926aa496cb66ce6ad34c0011ce656960e5
-
SHA256
bb1c62d14e3f30eaae6c78838e19adc3ff1ce3e3f54bae25c77b567778a21392
-
SHA512
153c92921ae4ae1a860ae6009b6d016fad5987d5fbf578cab7f05fb2d5c1d69a8192871727657c249441a6ba6222b40674b4dce23fc6f84da196dc6b395f6337
Static task
static1
Behavioral task
behavioral1
Sample
462e83926aa496cb66ce6ad34c0011ce656960e5.xlsm
Resource
win7-en-20210920
Malware Config
Extracted
http://13.92.100.208/au/audio.exe
Extracted
xloader
2.5
mexq
http://www.aliexpress-br.com/mexq/
cyebang.com
hcswwsz.com
50003008.com
yfly624.xyz
trungtamhohap.xyz
sotlbb.com
bizhan69.com
brandmty.net
fucibou.xyz
orderinformantmailer.store
nobleminers.com
divinevoid.com
quickappraisal.net
adventuretravelsworld.com
ashainitiativemp.com
ikkbs-a02.com
rd26x.com
goraeda.com
abbastanza.info
andypartridge.photography
xn--aprendes-espaol-brb.com
jrceleste.com
bestwarsawhotels.com
fospine.online
rayofdesign.online
hablamarca.com
nichellejonesrealtor.com
zamarasystem.com
thepropertygoat.com
fightfigures.com
mxconglomerate.com
elecoder.com
mabnapakhsh.com
girlspiter.club
xn--lcka2cufqed6765c4ef1x1g.xyz
cancleaningpros.com
galestorm.net
besrbee.com
sjmdesignstudio.com
kickonlines.com
generateyourart.com
promiseface.com
searchingspacespot.com
jovemmilionario.com
paomovar.com
dogiadunggiare.online
uniqued.net
glassrootsstudio.com
rabenteec.com
asistente-ti.com
xn--l6qw76agwi5rjeuzk9q.com
azapsolutions.com
wmh3gk2fzw2m.biz
districonio.com
dapekdelivery.com
vintagepaseo.com
od0aew1pox.com
iphone13promax.design
texttheruffleddaisy.com
umdasch-lagertechnik.com
growthabove.com
eltacorancherofoodtruck.com
gafoodstamps.com
mzalluom.com
Targets
-
-
Target
462e83926aa496cb66ce6ad34c0011ce656960e5.xlsm
-
Size
10KB
-
MD5
11021fe891f0ebd39cfa80d8866b40d7
-
SHA1
462e83926aa496cb66ce6ad34c0011ce656960e5
-
SHA256
bb1c62d14e3f30eaae6c78838e19adc3ff1ce3e3f54bae25c77b567778a21392
-
SHA512
153c92921ae4ae1a860ae6009b6d016fad5987d5fbf578cab7f05fb2d5c1d69a8192871727657c249441a6ba6222b40674b4dce23fc6f84da196dc6b395f6337
Score10/10-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Xloader Payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-