General
-
Target
PO P232-2111228.xlsx
-
Size
228KB
-
Sample
211125-vf983sbbg9
-
MD5
fe245cc71a6aaff582e5c14d1cb4f79e
-
SHA1
5ad55c5abb60501750e154c12eca4347cd07ce41
-
SHA256
9e315f448ba10b56fb6e53d39212ac98c9dc5c0c7b6dd3455f3bb65cce4a7a89
-
SHA512
7d3be852d7850f50506fada9351e83ca0f2b3bf61d5f879c929a1deaae733921768f7332e12a22452fe5f371310b5f5d833f4937509f6964063f09475ac4e2b6
Static task
static1
Behavioral task
behavioral1
Sample
PO P232-2111228.xlsx
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
PO P232-2111228.xlsx
Resource
win10-en-20211014
Malware Config
Extracted
xloader
2.5
ecaq
http://www.lesventsfavorables.com/ecaq/
hanshao886837.com
darknessinwhite.com
hermetiktipkombi.com
donalsupplies.xyz
fyourscript.com
emotionfocusedapproaches.com
companyinteldata.com
msiscripting.com
masu-masu-hitomi.com
melbourneweddingofficiant.com
trendyhunterr.com
clawfootdesigns.com
mrwhiskysteve.com
enkaguclendirme.com
ceuta-inversiones.com
gzz06j.cloud
tanahvilamalino.online
click-explore.com
quanqiu22222.com
m4ob.com
jonathandetail.com
cmarinservices.com
utiple.com
creditb2b.com
playjoker123.club
tanveermusicacademy.info
lovebonus.club
georgebalaam.com
bossreds.com
shiftprotection.com
sifeng.net
dessinaimprimer.website
tzryly.com
riftvalleyfoods.com
olympicasia.com
thereserveatstockbridge.com
allclaimspublicadjusting.com
braveget.com
quadrisign.com
experimentalparadise.com
turgidharrier.net
oknafich-sochi.online
clt12xx.xyz
cozastore.net
treeteescoop.com
jerseystoreofficial.com
14d7.com
findur-guide.info
tornfilmseries.net
33ghouls.com
ingleseacolazione.com
ecofetalrecife.com
flagimir.store
myauroma.com
sodavaranmali.com
charzed.com
lovelyurls.com
primesolucoes.digital
thinkpod.website
232689tyc.com
firedbybiden.com
roelboogaard.com
gomesmodeling.com
tutoringangels.com
Targets
-
-
Target
PO P232-2111228.xlsx
-
Size
228KB
-
MD5
fe245cc71a6aaff582e5c14d1cb4f79e
-
SHA1
5ad55c5abb60501750e154c12eca4347cd07ce41
-
SHA256
9e315f448ba10b56fb6e53d39212ac98c9dc5c0c7b6dd3455f3bb65cce4a7a89
-
SHA512
7d3be852d7850f50506fada9351e83ca0f2b3bf61d5f879c929a1deaae733921768f7332e12a22452fe5f371310b5f5d833f4937509f6964063f09475ac4e2b6
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-