General
-
Target
tmp/55294d13ba1d75f9daa7e87c0025c3efc6092ea3de41d3807ab5f50b87df9e89.xls
-
Size
299KB
-
Sample
220117-rct6xaaed5
-
MD5
5c899ea523fc5a003a2ee3de8f11bd02
-
SHA1
ef20b0be5970fc46faa0ff9bdfcd6e00f134653f
-
SHA256
55294d13ba1d75f9daa7e87c0025c3efc6092ea3de41d3807ab5f50b87df9e89
-
SHA512
6ad715cb75f4bde32e4eebea96ca2f6091b68eaa6a370a0f4739edb883d72e920fe01e5b8cd110456f23d007f1b5037d0e70d62f15bbe2f40ee0e930264714db
Static task
static1
Behavioral task
behavioral1
Sample
tmp/55294d13ba1d75f9daa7e87c0025c3efc6092ea3de41d3807ab5f50b87df9e89.xls
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
tmp/55294d13ba1d75f9daa7e87c0025c3efc6092ea3de41d3807ab5f50b87df9e89.xls
Resource
win10v2004-en-20220113
Malware Config
Extracted
xloader
2.5
pnug
natureate.com
ita-pots.website
sucohansmushroom.com
produrielrosen.com
gosystemupdatenow.online
jiskra.art
janwiench.com
norfolkfoodhall.com
iloveaddictss.com
pogozip.com
buyinstapva.com
teardirectionfreedom.xyz
0205168.com
apaixonadosporpugs.online
jawscoinc.com
crafter.quest
wikipedianow.com
radiopuls.net
kendama-co.com
goodstudycanada.com
huzhoucs.com
asinment.com
fuchsundrudolph.com
arthurenathalia.com
globalcosmeticsstudios.com
brandrackley.com
freemanhub.one
utserver.online
fullspecter.com
wshowcase.com
airjordanshoes-retro.com
linguimatics.com
app-verlengen.icu
singpost.red
j4.claims
inoteapp.net
jrdautomotivellc.com
xn--beaupre-6xa.com
mypolicyportal.net
wdgjdhpg.com
anshulindla.com
m981070.com
vertentebike.com
claim-available.com
buyfudgybombs.com
adfnapoli.com
blackfuid.com
clambakedelivered.info
marketingworksonhold.com
xvyj.top
richardsonsfinest.com
gurimix.com
dorhop.com
mauigrowngreencoffee.net
juzytuu.xyz
pokorny.industries
floridapermitsolutions.com
right-on-target-store.com
ynaire.com
nextpar.com
disdrone.com
fruitfulvinebirth.com
africanfairytale.com
leisuresabah.com
safetyeats.asia
Targets
-
-
Target
tmp/55294d13ba1d75f9daa7e87c0025c3efc6092ea3de41d3807ab5f50b87df9e89.xls
-
Size
299KB
-
MD5
5c899ea523fc5a003a2ee3de8f11bd02
-
SHA1
ef20b0be5970fc46faa0ff9bdfcd6e00f134653f
-
SHA256
55294d13ba1d75f9daa7e87c0025c3efc6092ea3de41d3807ab5f50b87df9e89
-
SHA512
6ad715cb75f4bde32e4eebea96ca2f6091b68eaa6a370a0f4739edb883d72e920fe01e5b8cd110456f23d007f1b5037d0e70d62f15bbe2f40ee0e930264714db
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-