General
-
Target
Invoices From Last Year.xlsx
-
Size
187KB
-
Sample
220208-jxp4paegcm
-
MD5
9f024bcd343054384c4309d02eb8aa11
-
SHA1
446a3adcf4344d586b8548d36078196609e0c0b4
-
SHA256
df737ad5d92f25da55a1bc1ec33290e0d99f958bb40cdf45788adab8fe2a3088
-
SHA512
5dd0be5c118717be6b46d6304c36eed576e21b4bd39a778832850570b675823baaa1dcde2ec95755802293eb0f2fdac14e31f0006038136613428f3f38fd6a2f
Static task
static1
Behavioral task
behavioral1
Sample
Invoices From Last Year.xlsx
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Invoices From Last Year.xlsx
Resource
win10v2004-en-20220113
Malware Config
Extracted
xloader
2.5
ahc8
methodicalservices.com
lojahelius.com
dxadxc.com
keshaunharris.club
hockeyengolfshop.online
sherranmanning.com
instylelimos.net
plick-click.com
tntexplode.com
movement-practice.net
nftlake.digital
134171.com
newhorizonseo.com
lm-solar.com
fahrrad-markt24.com
creatologiest.com
juststartmessy.com
sady-rossii-ural.com
blockchain-salt.com
bestoflakegeorge.guide
infinitymoversllc.com
javelephant.com
promocaozeraestoque.online
p60p.com
kreditineskorteleslt.com
chronicfit.store
onzep.store
shafiqandmudasir.com
vivemanku.online
chengfengdh.xyz
bets-bc-zrkqf.xyz
cellparts10.com
guardions.com
talenue.store
graffity-aws.com
buddingwsetcg.top
erikakorma.com
playex.ltd
jamaicarailways.com
nfthunter.art
ml-pilot.com
athleteteas.com
ruthdeliverance.info
medicmir.store
procurovariedades.com
undermour01.club
sneakeryeezy.com
dallmann.info
edm69.net
micj7870.com
silviomicalikush.xyz
activa.store
adeelnawaznj.com
travispilat.com
mercyships.kiwi
amazon939.com
talenterzllc.com
sbxip.com
phasernet.net
taggalla.com
pbspoolservices.com
34gjm.xyz
nuevochile.net
busdijogja.com
fyonkaly.com
Targets
-
-
Target
Invoices From Last Year.xlsx
-
Size
187KB
-
MD5
9f024bcd343054384c4309d02eb8aa11
-
SHA1
446a3adcf4344d586b8548d36078196609e0c0b4
-
SHA256
df737ad5d92f25da55a1bc1ec33290e0d99f958bb40cdf45788adab8fe2a3088
-
SHA512
5dd0be5c118717be6b46d6304c36eed576e21b4bd39a778832850570b675823baaa1dcde2ec95755802293eb0f2fdac14e31f0006038136613428f3f38fd6a2f
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-