General
-
Target
EX775380705313.doc__.rtf
-
Size
384KB
-
Sample
211213-sjgd3aehcp
-
MD5
99f1bdd67c558c943d6ba062bc327d28
-
SHA1
3694f22edb747d065595c4760fa25119581a43f1
-
SHA256
0efd3949bdca68716bd115e68de2f6247135e19dca8ff9e300eea9c7e9b4260f
-
SHA512
a64d3834bec69ed63a00c77de68b12a11d48362f1772e926afea29f6b203c1d17c93bb3d4bc1956f32ac0a6bdb4a918ffc0f1437399c38e97ea923a2389989a0
Static task
static1
Behavioral task
behavioral1
Sample
EX775380705313.doc__.rtf
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
EX775380705313.doc__.rtf
Resource
win10-en-20211208
Malware Config
Extracted
xloader
2.5
b62n
http://www.multidetoxhepatico.com/b62n/
childzplanet.com
nine8culture.com
yourfoodmenu.com
nxhxyzjy.com
nobelies.com
baetsupreme.net
indiadiscountedfares.com
iconnect-design.com
durston.store
sweetcreationsbyjp.com
ktieman.com
getvirtualaddress.com
cryptopoly-figures.com
minismi2.com
ricemoment.com
regionalhomescommercial.com
onelike.biz
d22.group
kwissleapp.com
cindyrandband.com
wolfgap.com
ilogic8.com
digitize-vision.com
qiunianns.com
tejpalmeet.com
joywalkerconsultingllc.com
daudcoffee.com
muktobangla.xyz
tendenciaofertas.com
xuongkhophoanghuong.pro
circleofdeth.com
spoilthemrottenpets.com
innasamudra.com
pizzadelta.com
jcmsomedia.com
applelost-support.info
ridvanyilmaz.com
catherinehaskins.com
fogelsingleywedding.com
suddennnnnnnnnnnn20.xyz
3leadsaday.xyz
xn--salihzzmrt-icb8ec.com
rdaniels2.com
xn--growbb-fvab.com
badkyker.quest
sdoook.com
bagways.com
bullseyefunrun.com
ff4c2myy0.xyz
stardustfuel.com
yiyuanpai.net
permaculturemd.com
prospectly.cloud
myonchain.art
atlasconcretos.com
ghost.immo
kondanginyuk.online
mohamedtaher.xyz
sxsxnt.com
sofiarust.xyz
playmayka.com
eemtyx.com
tashamurphy.com
akoya-kyoto.com
Targets
-
-
Target
EX775380705313.doc__.rtf
-
Size
384KB
-
MD5
99f1bdd67c558c943d6ba062bc327d28
-
SHA1
3694f22edb747d065595c4760fa25119581a43f1
-
SHA256
0efd3949bdca68716bd115e68de2f6247135e19dca8ff9e300eea9c7e9b4260f
-
SHA512
a64d3834bec69ed63a00c77de68b12a11d48362f1772e926afea29f6b203c1d17c93bb3d4bc1956f32ac0a6bdb4a918ffc0f1437399c38e97ea923a2389989a0
-
Detect Neshta Payload
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-