General
-
Target
tmp/26da8ebb14184edf1c85c0d5981d81e441847856cdac50d5efe108a5e3424829.xls
-
Size
301KB
-
Sample
220117-q9nvqaahal
-
MD5
27307aea0f6f1b4b37f1e9949710d6f1
-
SHA1
249f3fe9f387feb6abf8323043705d367063b1aa
-
SHA256
26da8ebb14184edf1c85c0d5981d81e441847856cdac50d5efe108a5e3424829
-
SHA512
e6847c0c946dfafbc57c2933af0e6fb4e32b44edab75a0750509c9b3b16331b0b3a4db1a9bf247d86f8d47ea2365c6e4f32d2cf36d093db9c2e4fe8b920285ae
Static task
static1
Behavioral task
behavioral1
Sample
tmp/26da8ebb14184edf1c85c0d5981d81e441847856cdac50d5efe108a5e3424829.xls
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
tmp/26da8ebb14184edf1c85c0d5981d81e441847856cdac50d5efe108a5e3424829.xls
Resource
win10v2004-en-20220113
Malware Config
Extracted
xloader
2.5
nt3f
tricyclee.com
kxsw999.com
wisteria-pavilion.com
bellaclancy.com
promissioskincare.com
hzy001.xyz
checkouthomehd.com
soladere.com
point4sales.com
socalmafia.com
libertadysarmiento.online
nftthirty.com
digitalgoldcryptostock.net
tulekiloscaird.com
austinfishandchicken.com
wlxxch.com
mgav51.xyz
landbanking.global
saprove.com
babyfaces.skin
elainemaxwellcoaching.com
1388xc.com
juveniscloud.com
bsauksjon.com
the-waterkooler.com
comment-changer-sa-vie.com
psmcnd.top
rhodesleadingedge.com
mccuelawfirm.com
skinnscience.club
hype-clicks.com
liaojinc.xyz
okmakers.com
ramblertour.online
wickedhunterworld.com
fit-threads.com
cookidoo.website
magentabin.com
pynch1.com
best-paper-to-know-today.info
allmight.net
monicraftsprintables.com
avataroasis.com
10dian-4.com
cozastore.net
capitalcased.com
spacezanome.xyz
feiyangmi.com
11opus.com
getinteriorsolution.com
tidyhutstore.com
amazingpomskyfamily.com
tfcvintage.com
halfanape.com
rotakb.com
martinasfood.com
the-thanks.com
mithilmehta.com
em-photo.art
primerepro.com
lankasirinspa.com
gtbaibang.com
zealandiatobacco.com
deepikatransportpackers.com
eagle-meter.com
Targets
-
-
Target
tmp/26da8ebb14184edf1c85c0d5981d81e441847856cdac50d5efe108a5e3424829.xls
-
Size
301KB
-
MD5
27307aea0f6f1b4b37f1e9949710d6f1
-
SHA1
249f3fe9f387feb6abf8323043705d367063b1aa
-
SHA256
26da8ebb14184edf1c85c0d5981d81e441847856cdac50d5efe108a5e3424829
-
SHA512
e6847c0c946dfafbc57c2933af0e6fb4e32b44edab75a0750509c9b3b16331b0b3a4db1a9bf247d86f8d47ea2365c6e4f32d2cf36d093db9c2e4fe8b920285ae
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-