General
-
Target
SKMB60219.xlsx
-
Size
186KB
-
Sample
220311-cez3lshfdn
-
MD5
96d7d76083a4a671520fc66cef8b117c
-
SHA1
2eb64b5ac52b4bffc75a180c051c26b2a6140f43
-
SHA256
b3280e9402e6172764449daedc9e687fbe7b474fd7a45d9756c588d1fa2b1fe2
-
SHA512
53b3f6f86f0fcb5eb8f3d9fb0babf94bcc358b4f9daf2aadd47c5eb2e796683b03ede312d877eaa1968b3c90ffc0d15ac958d1b0743403faf440365141bd26b9
Static task
static1
Behavioral task
behavioral1
Sample
SKMB60219.xlsx
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
SKMB60219.xlsx
Resource
win10v2004-en-20220113
Malware Config
Extracted
xloader
2.5
ahc8
192451.com
wwwripostes.net
sirikhalsalaw.com
bitterbaybay.com
stella-scrubs.com
almanecermezcal.com
goodgood.online
translate-now.online
sincerefilm.com
quadrantforensics.com
johnfrenchart.com
plick-click.com
alnileen.com
tghi.xyz
172711.com
maymakita.com
punnyaseva.com
ukash-online.com
sho-yururi-blog.com
hebergement-solidaire.com
civicinfluencers.net
gzhf8888.com
kuleallstar.com
palisadeslodgecondos.com
holyhirschsprungs.com
azalearoseuk.com
jaggllc.com
italianrofrow.xyz
ioewur.xyz
3a5hlv.icu
kitcycle.com
estate.xyz
ankaraescortvip.xyz
richclubsite2001.xyz
kastore.website
515pleasantvalleyway.com
sittlermd.com
mytemple.group
tiny-wagen.com
sharaleesvintageflames.com
mentalesteem.com
sport-newss.online
fbve.space
lovingtruebloodindallas.com
eaglehospitality.biz
roofrepairnow.info
mcrosfts-updata.digital
cimpactinc.com
greatnotleyeast.com
lovely-tics.com
douglas-enterprise.com
dayannalima.online
ksodl.com
rainbowlampro.com
theinteriorsfurniture.com
eidmueller.email
cg020.online
gta6fuzhu.com
cinemaocity.com
hopeitivity.com
savageequipment.biz
groceriesbazaar.com
hempgotas.com
casino-pharaon-play.xyz
ralfrassendnk-login.com
Targets
-
-
Target
SKMB60219.xlsx
-
Size
186KB
-
MD5
96d7d76083a4a671520fc66cef8b117c
-
SHA1
2eb64b5ac52b4bffc75a180c051c26b2a6140f43
-
SHA256
b3280e9402e6172764449daedc9e687fbe7b474fd7a45d9756c588d1fa2b1fe2
-
SHA512
53b3f6f86f0fcb5eb8f3d9fb0babf94bcc358b4f9daf2aadd47c5eb2e796683b03ede312d877eaa1968b3c90ffc0d15ac958d1b0743403faf440365141bd26b9
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-