General
-
Target
RIOSAT_DOC.xlsx
-
Size
201KB
-
Sample
211103-ydpfdabgep
-
MD5
4ed0940e6e53d246dae50a1a7dda5f68
-
SHA1
4439f0cdb3937226cb4015ec4c2df54a36c29f65
-
SHA256
e6b973beff845a214101c3f4714d32f15112b86a9fbfbd301914063f2e4e5677
-
SHA512
7f7734d8f9983339f279e95b76ce78743875889e5a1e7951f80e9e984ac34b31312ee0f80682976895e030d0784ec17be5b0ec65536a86b448706979a0f288f9
Static task
static1
Behavioral task
behavioral1
Sample
RIOSAT_DOC.xlsx
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
RIOSAT_DOC.xlsx
Resource
win10-en-20210920
Malware Config
Extracted
xloader
2.5
ht08
http://www.septemberstockevent200.com/ht08/
joye.club
istanbulemlakgalerisi.online
annikadaniel.love
oooci.com
curebase-test.com
swisstradecenter.com
hacticum.com
centercodebase.com
recbi56ni.com
mmj0115.xyz
sharpstead.com
sprklbeauty.com
progettogenesi.cloud
dolinum.com
amaroqadvisors.com
traininig.com
leewaysvcs.com
nashhomesearch.com
joy1263.com
serkanyamac.com
nursingprogramsforme.com
huakf.com
1w3.online
watermountsteam.top
tyralruutan.quest
mattlambert.xyz
xn--fiqs8sypgfujbl4a.xn--czru2d
hfgoal.com
587868.net
noyoucantridemyonewheel.com
riewesell.top
expn.asia
suplementarsas.com
item154655544.com
cdgdentists.com
deboraverdian.com
franquiciasexclusivas.tienda
tminus-10.com
psychoterapeuta-wroclaw.com
coachingbywatson.com
lknitti.net
belenpison.agency
facilitetec.com
99077000.com
thefitmog.com
kinmanpowerwashing.com
escueladelbuenamor.com
getjoyce.net
oilelm.com
maikoufarm.com
hespresso.net
timothyschmallrealt.com
knoxvilleraingutters.com
roonkingagency.online
trashwasher.com
angyfoods.com
yungbredda.com
digipoint-entertainment.com
shangduli.space
kalaraskincare.com
ktnsound.xyz
miabellavita.com
thenlpmentor.com
marzhukov.com
Targets
-
-
Target
RIOSAT_DOC.xlsx
-
Size
201KB
-
MD5
4ed0940e6e53d246dae50a1a7dda5f68
-
SHA1
4439f0cdb3937226cb4015ec4c2df54a36c29f65
-
SHA256
e6b973beff845a214101c3f4714d32f15112b86a9fbfbd301914063f2e4e5677
-
SHA512
7f7734d8f9983339f279e95b76ce78743875889e5a1e7951f80e9e984ac34b31312ee0f80682976895e030d0784ec17be5b0ec65536a86b448706979a0f288f9
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-