General
-
Target
tmp/1ee280cb4130d09c2739d4e89cfd0aaa3a2a996d86606e43d4d42e29ac73ca28.xls
-
Size
310KB
-
Sample
220111-m4tx1afegn
-
MD5
f4d6c1f8616c2d921abe653049bf2b37
-
SHA1
41b4ede1e3f10a46b029a75cc472132ad1afae84
-
SHA256
1ee280cb4130d09c2739d4e89cfd0aaa3a2a996d86606e43d4d42e29ac73ca28
-
SHA512
77e02662535a351eccfdf8884f78920befb20e2fd5ff7c7d1cf762ae476967361fa4b09140c9d4bda9204dfdfd92e7a4658fd85768a2ac5b2c91a17649e670e7
Static task
static1
Behavioral task
behavioral1
Sample
tmp/1ee280cb4130d09c2739d4e89cfd0aaa3a2a996d86606e43d4d42e29ac73ca28.xls
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
tmp/1ee280cb4130d09c2739d4e89cfd0aaa3a2a996d86606e43d4d42e29ac73ca28.xls
Resource
win10-en-20211208
Malware Config
Extracted
xloader
2.5
ef6c
gicaredocs.com
govusergroup.com
conversationspit.com
brondairy.com
rjtherealest.com
xn--9m1bq8wgkag3rjvb.com
mylori.net
softandcute.store
ahljsm.com
shacksolid.com
weekendmusecollection.com
gaminghallarna.net
pgonline111.online
44mpt.xyz
ambrandt.com
eddytattoo.com
blendeqes.com
upinmyfeels.com
lacucinadesign.com
docomoau.xyz
xn--90armbk7e.online
xzq585858.net
kidzgovroom.com
lhznqyl.press
publicationsplace.com
jakante.com
csspadding.com
test-testjisdnsec.store
lafabriqueabeilleassurances.com
clf010.com
buybabysnuggle.com
uzmdrmustafaalperaykanat.com
levanttradegroup.com
arcflorals.com
kinglot2499.com
freekagyans.com
region10group.gmbh
yeyelm744.com
thehomedesigncentre.com
vngc.xyz
szesdkj.com
charlottewright.online
planetgreennetwork.com
pacifica7.com
analogueadapt.com
sensorypantry.com
narbaal.com
restaurant-utopia.xyz
golnay.com
szyyglass.com
redelirevearyseuiop.xyz
goldsteelconstruction.com
discovercotswoldcottages.com
geniuseven.net
apricitee.com
stopmoshenik.online
ya2gh.com
instatechnovelz.com
dbe648.com
seifjuban.com
conquershirts.store
totalcovidtravel.com
pamperotrabajo.com
satellitphonestore.com
fis.photos
Targets
-
-
Target
tmp/1ee280cb4130d09c2739d4e89cfd0aaa3a2a996d86606e43d4d42e29ac73ca28.xls
-
Size
310KB
-
MD5
f4d6c1f8616c2d921abe653049bf2b37
-
SHA1
41b4ede1e3f10a46b029a75cc472132ad1afae84
-
SHA256
1ee280cb4130d09c2739d4e89cfd0aaa3a2a996d86606e43d4d42e29ac73ca28
-
SHA512
77e02662535a351eccfdf8884f78920befb20e2fd5ff7c7d1cf762ae476967361fa4b09140c9d4bda9204dfdfd92e7a4658fd85768a2ac5b2c91a17649e670e7
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-