General
-
Target
tmp/885a3f3c6c82f70a36a07cc47a0655ec01283f28863aa8c216f6ffa73f77bf2e.xls
-
Size
317KB
-
Sample
211220-qrcdzaafd7
-
MD5
207b94d9cc8b9af2ccc9ff119cf94ae5
-
SHA1
2c562a8c366f4ae564e7b6e9264212fb602429bf
-
SHA256
885a3f3c6c82f70a36a07cc47a0655ec01283f28863aa8c216f6ffa73f77bf2e
-
SHA512
0feef63885c908f399d794496b420b514ca67b6874440ddba7d8972250f6c1384278155a5b7ee2917cef95ac167705a75cc6ae8ad9fedfdb7575426fd74e7354
Static task
static1
Behavioral task
behavioral1
Sample
tmp/885a3f3c6c82f70a36a07cc47a0655ec01283f28863aa8c216f6ffa73f77bf2e.xls
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
tmp/885a3f3c6c82f70a36a07cc47a0655ec01283f28863aa8c216f6ffa73f77bf2e.xls
Resource
win10-en-20211208
Malware Config
Extracted
xloader
2.5
fqiq
driventow.com
ipatchwork.today
bolder.equipment
seal-brother.com
mountlaketerraceapartments.com
weeden.xyz
sanlifalan.com
athafood.com
isshinn1.com
creationslazzaroni.com
eclecticrenaissancewoman.com
satellitephonstore.com
cotchildcare.com
yamacorp.digital
ff4cuno43.xyz
quicksticks.community
govindfinance.com
farmersfirstseed.com
megacinema.club
tablescaperendezvous4two.com
ecarehomes.com
floaterslaser.com
benisano.com
saint444.com
thedusi.com
avafxtrade.online
hanenosuke.com
suntioil4u.com
healthyweekendtips.com
24000words.com
ofbchina.net
begukiu0.info
wolmoda.com
mask60.com
4bellemaison.com
mambacustomboats.com
sedsn.com
doggycc.com
kangrungao.com
pharmacistcharisma.com
passiverewardssystems.com
qywyfeo8.xyz
shenjiclass.com
rdoi.top
lavishbynovell.com
fleetton.com
hillcresthomegroup.com
hartfulcleaning.com
srofkansas.com
applebroog.industries
phillytrainers.com
dmc--llc.com
sosoon.store
daysyou.com
controldatasa.com
markarge.com
hirayaawards.com
clinicscluster.com
sophiagunterman.art
kirtansangeet.com
residential.insure
ribbonofficial.com
qianhaijcc.com
fytvankin.quest
esyscoloradosprings.com
Targets
-
-
Target
tmp/885a3f3c6c82f70a36a07cc47a0655ec01283f28863aa8c216f6ffa73f77bf2e.xls
-
Size
317KB
-
MD5
207b94d9cc8b9af2ccc9ff119cf94ae5
-
SHA1
2c562a8c366f4ae564e7b6e9264212fb602429bf
-
SHA256
885a3f3c6c82f70a36a07cc47a0655ec01283f28863aa8c216f6ffa73f77bf2e
-
SHA512
0feef63885c908f399d794496b420b514ca67b6874440ddba7d8972250f6c1384278155a5b7ee2917cef95ac167705a75cc6ae8ad9fedfdb7575426fd74e7354
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-