General
-
Target
BM09 INV.PL.xlsx
-
Size
369KB
-
Sample
211021-gzc6ssageq
-
MD5
b03819cd2356392079a49fa5f0477ff9
-
SHA1
c6d295042dbad6daa7eccedddd354f9e90643b31
-
SHA256
0b9c4c0a71c0262d0af9cabc0b3cdc179ed4114e0ede23afce8342f48714adbb
-
SHA512
15ccab47909ffbe46f7cc995d36d93191cf1e541cf6653ad771dd869b71a9eb3d321dc5c0569064dc2feceb40e495ea19aba1c71c055b62a4fcb7dc3f99ccf5e
Static task
static1
Behavioral task
behavioral1
Sample
BM09 INV.PL.xlsx
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
BM09 INV.PL.xlsx
Resource
win10-en-20210920
Malware Config
Extracted
xloader
2.5
ons6
http://www.parasitevhs.net/ons6/
946acc.net
ilkermulla.com
edificationhub.com
aptbaby.com
luisrgonzalez.com
postandpine.com
objective-object.com
storeydrive.rentals
mobile-find.com
africanbridaluk.com
zzjn12.xyz
ritechoiceinvestmentgroup.com
zitzies.xyz
trulyproofreading.com
ktndetermine.xyz
advertising.land
keywordgomuwk.xyz
niecliomusicspirit.com
lhortelecom.com
cryptochieftan.com
fumctulsa.com
librariumclub.com
tinturas-espagiricas.com
regencyimperial.com
worldremirt.com
nikurei.com
edukado.online
med2cloud.com
sasktwl.net
ancditalia.com
nagukoohatomo.xyz
febfit.com
brasbux.com
bilinili236.xyz
girlxyz.com
trm.computer
studiomuis.com
pinnap.online
ra-hanbaiten-lulusia.xyz
desso.one
devilsheartdesign.com
gestproducts.com
mount-motion.com
miltonjorge.net
xiaomiyp6.com
rurikon2.com
wwwmwrfinancial.com
mikexktolsd.com
businessim.net
algoescrow.com
bitterbaybay.com
acidulante.com
yourchancemarketing.com
accidental-blogger.com
breastcancerforumbd.com
viellacharteredland.com
wkefaromaticum.com
guardianenergy.group
gamblersprintcars.com
midiff.com
firstbymel.com
fdwqw.xyz
ngatihaukoporeihana.com
pictureballthose.top
Targets
-
-
Target
BM09 INV.PL.xlsx
-
Size
369KB
-
MD5
b03819cd2356392079a49fa5f0477ff9
-
SHA1
c6d295042dbad6daa7eccedddd354f9e90643b31
-
SHA256
0b9c4c0a71c0262d0af9cabc0b3cdc179ed4114e0ede23afce8342f48714adbb
-
SHA512
15ccab47909ffbe46f7cc995d36d93191cf1e541cf6653ad771dd869b71a9eb3d321dc5c0569064dc2feceb40e495ea19aba1c71c055b62a4fcb7dc3f99ccf5e
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
suricata: ET MALWARE Possible Malicious Macro DL EXE Feb 2016
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-