General
-
Target
MV MANDARIN SKY.xlsx
-
Size
369KB
-
Sample
211021-gzyshahhf5
-
MD5
c5ec05f0cccf093f4cf3234b09afbe8f
-
SHA1
2637d22813c3682f4c952078889351900aad218b
-
SHA256
9450a8d999143739c233bbfb12bca8975bb92255aef22486369704ad774b9737
-
SHA512
ec902def9b1e62eba9af009a76402b9860c0d4183ff34772b4907fb22dfc8b396664369f407a31e1b0563b8afc1294279a31174f4fb3af55e305154a4f12ae7c
Static task
static1
Behavioral task
behavioral1
Sample
MV MANDARIN SKY.xlsx
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
MV MANDARIN SKY.xlsx
Resource
win10-en-20210920
Malware Config
Extracted
xloader
2.5
wogm
http://www.eygtogel021.com/wogm/
sub-dude.net
repeatcustom.com
goodspaz.com
sinagropuree.com
jyh8886.com
muescabynes.quest
stark.agency
nolimit168.com
hypermediastore.com
arab-xt-pro.com
gruppovimar.com
santamariamoto.express
affaridistribuciones.com
straetah.com
collectionsbyvivi.com
nalainteriores.com
weeklywars.com
insightmyhome.com
ucml.net
herderguru.com
sz-jialejia.com
xinglu56.com
tenselect.net
arepaspuesdc.com
cvkf.email
moseslakeapartment.com
chantaldesign.space
884651.com
yzyf88.com
seattlecanna.com
obsessive.company
blessedfurnitures.com
disparandose.com
smmakrygiannakis.online
buno8ce.com
javaportal.info
laoqu6666.com
portfolioinsidertips.com
workospbit.space
biocrafts.net
estebancantillo.com
appliancestar.xyz
gloriousbees.xyz
porchlightwoodworks.com
rawhoneytnpasumo2.xyz
pokipass-niigata.com
aodesai.store
powro.online
playin.one
minded-afoot.com
zpahura.com
bodybybetsy.com
camworker.cloud
mest2.com
chezlulu.paris
officeupdate365.com
jackdanska.com
glenndcp.com
huikanvip.com
connectedtoolstore.com
flogicpro.com
yourhomestimate.com
dogtraining5x5.com
truenettnpasumo2.xyz
Targets
-
-
Target
MV MANDARIN SKY.xlsx
-
Size
369KB
-
MD5
c5ec05f0cccf093f4cf3234b09afbe8f
-
SHA1
2637d22813c3682f4c952078889351900aad218b
-
SHA256
9450a8d999143739c233bbfb12bca8975bb92255aef22486369704ad774b9737
-
SHA512
ec902def9b1e62eba9af009a76402b9860c0d4183ff34772b4907fb22dfc8b396664369f407a31e1b0563b8afc1294279a31174f4fb3af55e305154a4f12ae7c
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-