General
-
Target
RFQ_293.xlsx
-
Size
440KB
-
Sample
211028-mxkezsfhel
-
MD5
0c9056f4d1c364a1b86c2cbd4d2f9010
-
SHA1
1f7436322f2a5602bef4a97779aa4e66e6d82405
-
SHA256
dd3ab4cca36bd08f8d95b6d2f6fe654c555febebdc5ca5558ef577448ebf7567
-
SHA512
1d203764f4c31b08ca01d9f75623f042f5156737b506057f3e609ac4e1b9333c9981a09fc979a608b1de2b77bd1f7e65777c785b9982921d671cfbc21a072907
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_293.xlsx
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
RFQ_293.xlsx
Resource
win10-en-20210920
Malware Config
Extracted
xloader
2.5
rqan
http://www.cardboutiqueapp.com/rqan/
panda.wiki
gailkannamassage.com
ungravitystudio.com
coraggiomusicschool.com
51walkerstreetrippleside.com
infemax.store
mapara-foundation.net
elitespeedwaxs.com
manateeprint.com
thelocksmithtradeshow.com
phoenix-out-of-ashes.com
marionkgregory.store
abasketofwords.com
century21nokta.com
anthonyaarnold.com
forevermyanmar.com
ramashi.com
uniquecarbonbrush.com
packecco.com
appelnacrtl.quest
mayo-group.com
healthychefla.com
chuhaitalk.com
promoapp12.com
sergomosta.com
missuniversepr.com
onfinan.com
moyue27.com
miaocharge.com
hubmedia.digital
sarasota-pressurewashing.com
deliciousrecipe.xyz
rosalia-pilates-angers.com
qqsmt09.com
comercialjyv.com
ismarthings.com
b8ceex.com
reviewbyornex.online
familylovmix.com
wurzelwerk-sk.com
buratacoin.com
delocdinh.com
paraspikakasino.com
buyinsurance24.com
d1storesa.com
apollonfitnessvrn.club
tokofebri.store
cambabez.xyz
pointcon.net
digitalcoursepreneur.com
15dgj.xyz
mg-garage.com
claggs.com
yuezhong66.com
uvowtae.xyz
puutuisossa.quest
glitchpunks.art
haferssippe.quest
ucwykl.biz
finlandtwo.xyz
efterpisart.com
usbankofamerican.com
bamubusinesssolutions.com
lakshhomesbalram.info
Targets
-
-
Target
RFQ_293.xlsx
-
Size
440KB
-
MD5
0c9056f4d1c364a1b86c2cbd4d2f9010
-
SHA1
1f7436322f2a5602bef4a97779aa4e66e6d82405
-
SHA256
dd3ab4cca36bd08f8d95b6d2f6fe654c555febebdc5ca5558ef577448ebf7567
-
SHA512
1d203764f4c31b08ca01d9f75623f042f5156737b506057f3e609ac4e1b9333c9981a09fc979a608b1de2b77bd1f7e65777c785b9982921d671cfbc21a072907
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-