General
-
Target
W6902.xlsx
-
Size
187KB
-
Sample
220131-e1zp3sehdl
-
MD5
69795e78fb23e13a62ebc183ef90b3ed
-
SHA1
e16a17d9001daf722aab876d3dab010218af2a23
-
SHA256
acc4be02b6d345725689351b0de0b19ea35f356a60df8cf92318fe9ff96e474f
-
SHA512
77d20558c55569551b3e232a5b3f500ae5056fb13634a50bbadcda1ebdfefe6685d04479a6ae01e58c2a7ec3d0565c887a53d74000d7fe6b5c1404267fb4f651
Static task
static1
Behavioral task
behavioral1
Sample
W6902.xlsx
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
W6902.xlsx
Resource
win10-en-20211208
Malware Config
Extracted
xloader
2.5
b80i
yixuan5.com
jiazheng369.com
danielleefelipe.net
micorgas.com
uvywah.com
nbjcgl.com
streets4suites.com
hempgotas.com
postmoon.xyz
gaboshoes.com
pastodwes.com
libes.asia
damusalama.com
youngliving1.com
mollyagee.com
branchwallet.com
seebuehnegoerlitz.com
inventors.community
teentykarm.quest
927291.com
wohn-union.info
rvmservices.com
cuanquotex.online
buysubarus.com
360e.group
markham.condos
carriewilliamsinc.com
ennitec.com
wildberryhair.com
trulyrun.com
pinkandgrey.info
mnselfservice.com
gabtomenice.com
2thpolis.com
standardcrypro.com
58lif.com
ir-hasnol.com
ggsega.xyz
tipslowclever.rest
atlasgrpltdgh.com
4338agnes.com
hillsncreeks.com
pentest.ink
cevichiles.com
evodoge.com
gooooooo.xyz
ehaszthecarpetbagger.com
finanes.xyz
zoharfine.com
viperiastudios.com
sjljtzsls.com
frentags.art
mediafyagency.com
faydergayremezdayener.net
freelance-rse.com
quickmovecourierservices.com
lexingtonprochoice.com
farmacymerchants.com
inkland-tattoo.com
aloebiotics.com
rampi6.com
bookinggroningen.com
wilkinsutotint.com
inslidr.com
dreamschools.online
Targets
-
-
Target
W6902.xlsx
-
Size
187KB
-
MD5
69795e78fb23e13a62ebc183ef90b3ed
-
SHA1
e16a17d9001daf722aab876d3dab010218af2a23
-
SHA256
acc4be02b6d345725689351b0de0b19ea35f356a60df8cf92318fe9ff96e474f
-
SHA512
77d20558c55569551b3e232a5b3f500ae5056fb13634a50bbadcda1ebdfefe6685d04479a6ae01e58c2a7ec3d0565c887a53d74000d7fe6b5c1404267fb4f651
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-