General
-
Target
SWIFT Message.xlsx
-
Size
192KB
-
Sample
220127-qbk16sdbbk
-
MD5
de48399098ab9596a733ccc22252c019
-
SHA1
caa8c059a3ccc4aba10e9720c6eaa3162dfff665
-
SHA256
d688d58ddc22d144141b6b2791d6437b82bdac95267b263cb5ae04c855e32df2
-
SHA512
90548dedfd9d8dd828760502cf8e00ebffcbedc71e03628f971dfb3c2275691de87326ec673ca5e8b048e1a895b7d3429a9014fdb826aed2cac7e551f842ddb5
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT Message.xlsx
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
SWIFT Message.xlsx
Resource
win10-en-20211208
Malware Config
Extracted
xloader
2.5
u6vb
blendedmatter.com
piquinmarketing.com
dubkirelax.online
optimumotoaksesuar.com
bendisle.com
islamicgeometricpatterns.net
cheesebox.online
lh-coaching.com
buildingmaterial.info
backwoods72.com
goodtreetee.com
zknqqpvsypx.mobi
phukienstreaming.com
turkistick.com
cbd-shop-portugal.com
imherllc.com
krallechols.quest
ttmmb.com
pornmodelsworld.com
weakyummy.space
profitablemechanic.com
arthahomehealth.com
xllbyte.top
enthrallingmagazine.com
letgoboss.com
twaroggrodkowski.com
2027bet365.com
viveecom.com
rachelzrileybeauty.com
jadablond.com
mypasscodekeycard.com
sectionpor.xyz
hypotheque.xyz
matryoshkatechspec.online
newspaper.tax
jm0513.com
barringtonmediaqroup.com
mot-associates.com
mahomeslistings.com
henrywrench.com
anita.digital
leyouxx.com
icetherapy.net
nft-premium.design
vulcanrussia23.xyz
cvbintangkaryacipta.com
ballerapeclub.digital
coralarray.com
quoteshtx.com
thebestgpstracker.com
onlinepricehk.com
mountainvillagecondos.com
thenudefactory.com
rubarombic.net
theroycom1.com
drinkabit.art
maymakita.com
pickvector.net
online-be.xyz
monkendodge.com
successsynergyemail.com
cuahangyodykimthanh.com
love-shoppy.com
gebaeudetechnik-burscheid.com
officejava.store
Targets
-
-
Target
SWIFT Message.xlsx
-
Size
192KB
-
MD5
de48399098ab9596a733ccc22252c019
-
SHA1
caa8c059a3ccc4aba10e9720c6eaa3162dfff665
-
SHA256
d688d58ddc22d144141b6b2791d6437b82bdac95267b263cb5ae04c855e32df2
-
SHA512
90548dedfd9d8dd828760502cf8e00ebffcbedc71e03628f971dfb3c2275691de87326ec673ca5e8b048e1a895b7d3429a9014fdb826aed2cac7e551f842ddb5
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-