General
-
Target
W6902.xlsx
-
Size
187KB
-
Sample
220128-zpal2adcek
-
MD5
9a0e6f87707210a385ef8ed3bf348de3
-
SHA1
800a9f004b17cd24413eb98c2f6d9fcd02128887
-
SHA256
41b58cddca86e32e7034daf8e97dcdaa04ac6cdcb41eae86be1c3fa7fd05c871
-
SHA512
e35a536e9d68da1cc14ea854d977490ed6865cc756c23d479d6a37572f004c2f6b0ab475c9f765434588c827721b3fbc72cf5a33cf6144b92fc205bdc7a96269
Static task
static1
Behavioral task
behavioral1
Sample
W6902.xlsx
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
W6902.xlsx
Resource
win10-en-20211208
Malware Config
Extracted
xloader
2.5
b80i
yixuan5.com
jiazheng369.com
danielleefelipe.net
micorgas.com
uvywah.com
nbjcgl.com
streets4suites.com
hempgotas.com
postmoon.xyz
gaboshoes.com
pastodwes.com
libes.asia
damusalama.com
youngliving1.com
mollyagee.com
branchwallet.com
seebuehnegoerlitz.com
inventors.community
teentykarm.quest
927291.com
wohn-union.info
rvmservices.com
cuanquotex.online
buysubarus.com
360e.group
markham.condos
carriewilliamsinc.com
ennitec.com
wildberryhair.com
trulyrun.com
pinkandgrey.info
mnselfservice.com
gabtomenice.com
2thpolis.com
standardcrypro.com
58lif.com
ir-hasnol.com
ggsega.xyz
tipslowclever.rest
atlasgrpltdgh.com
4338agnes.com
hillsncreeks.com
pentest.ink
cevichiles.com
evodoge.com
gooooooo.xyz
ehaszthecarpetbagger.com
finanes.xyz
zoharfine.com
viperiastudios.com
sjljtzsls.com
frentags.art
mediafyagency.com
faydergayremezdayener.net
freelance-rse.com
quickmovecourierservices.com
lexingtonprochoice.com
farmacymerchants.com
inkland-tattoo.com
aloebiotics.com
rampi6.com
bookinggroningen.com
wilkinsutotint.com
inslidr.com
dreamschools.online
Targets
-
-
Target
W6902.xlsx
-
Size
187KB
-
MD5
9a0e6f87707210a385ef8ed3bf348de3
-
SHA1
800a9f004b17cd24413eb98c2f6d9fcd02128887
-
SHA256
41b58cddca86e32e7034daf8e97dcdaa04ac6cdcb41eae86be1c3fa7fd05c871
-
SHA512
e35a536e9d68da1cc14ea854d977490ed6865cc756c23d479d6a37572f004c2f6b0ab475c9f765434588c827721b3fbc72cf5a33cf6144b92fc205bdc7a96269
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-