General
-
Target
NEW ORDER AST 28-29 OCT.xlsx
-
Size
369KB
-
Sample
211021-gzdgkaager
-
MD5
90945f68e40c52dad2d8631ca83783cc
-
SHA1
41fe1605b8c882cf4bd72af59daeca282a21dc5f
-
SHA256
16767c9a749db0d3cad5f9778a1a11997899af377b2935251edce7237ab1512c
-
SHA512
d6e609dd8289a1ab4a5d256ca9e040c630985afebf4be8ebd5792a36defc00cf644a64ec97c31ed2b9637ef36f5f86c718d27bc2b857a129ceb8b9def7825a90
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDER AST 28-29 OCT.xlsx
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
NEW ORDER AST 28-29 OCT.xlsx
Resource
win10-en-20210920
Malware Config
Extracted
xloader
2.3
ahdu
http://www.casinoregio.com/ahdu/
premiumfreebie.com
spintheblackestcircles.com
okaidoku-shop.net
zonaseguradregistropremios.com
wzocflfow.com
maanyah.com
warrioredjuan.com
uniquelypizza.com
wondertreehr.com
ddriiverzautozs.com
mattenterline.com
urenium.com
salonjedibreakthrough.com
imgkurd.com
pierrejacqueslyon.com
quimicasurandina.com
jkpfukgmt.icu
ansariclinic.com
ashleysema.design
arkadiafoliage.com
fhstzy.com
beautyandherocean.com
hgw234.com
whiteclawdogseltzer.com
montecitobeaches.com
weixinseo.xyz
javpanel.com
mayonnaiseplant.com
shooternetsports.com
withagecny.com
northernloss.com
theshedscharityshop.com
mi-darulaman.com
sezginotel.com
dreamcricketpro.com
mail-globo-com-webmails.com
seucorpofit.com
konversiondigital.com
nirvavacenter.com
communicateforfreedom.com
maxwellgroupphyscians.com
ltcy4.com
find-my-kids.com
gromov-plc.com
premiercovidscreening.com
telemedde.com
ifapt.com
getopalace.com
ralsendo.com
weinsurebars.com
bainrix.com
precisionprobusiness.com
therussellpinto.com
resepindonesia.space
obluedotpanobuy.com
vrev.net
source824.xyz
betsunmacougold.com
mabtas.com
mazcommunity.com
blockchainwallet.solutions
valentineennett.xyz
dolcevazquez.com
institutobalcarceolavarria.com
Targets
-
-
Target
NEW ORDER AST 28-29 OCT.xlsx
-
Size
369KB
-
MD5
90945f68e40c52dad2d8631ca83783cc
-
SHA1
41fe1605b8c882cf4bd72af59daeca282a21dc5f
-
SHA256
16767c9a749db0d3cad5f9778a1a11997899af377b2935251edce7237ab1512c
-
SHA512
d6e609dd8289a1ab4a5d256ca9e040c630985afebf4be8ebd5792a36defc00cf644a64ec97c31ed2b9637ef36f5f86c718d27bc2b857a129ceb8b9def7825a90
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-