Extracted

• • Target

    Inquiry docs_00345.xlsx

  • Size

    185KB

  • MD5

    8601e9fbd0710b734aaa95ba56ebf397

  • SHA1

    d5fefeba0606f92a7223bbe51091132404670daa

  • SHA256

    b224f2409381b02e0f465d688fba51a84efc05092c484fc5521b6b2ac8698aa9

  • SHA512

    2f85167f109a1cbe77dcbe5bebbcd00f83abc72f34f491657f3e25319aaed07ee68e529287e500ca6220fb88f2b171f4b7cb0040de34c488d3d8b72c70abc95d

  Score

  10^/10

  formbookneshtaxloaderga6bloaderpersistenceratspywarestealertrojan

  • Detect Neshta Payload

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook

  • Modifies system executable filetype association

    persistence

  • Neshta

    Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    persistencespywareneshta

  • Xloader

    Xloader is a rebranded version of Formbook malware.

    loaderxloader

  • Xloader Payload

    rat

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Uses the VBS compiler for execution

  • Adds Run key to start application

    persistence

  • Suspicious use of SetThreadContext

  behavioral1behavioral2