General
-
Target
BL.xlsx
-
Size
289KB
-
Sample
220428-g8wphabbf3
-
MD5
b8e9f95d4fa7c45a88a676e7bb3fc9ae
-
SHA1
acc6e22cbca2be6226fbddd46ce1ae8304f4f996
-
SHA256
a5710d566d75764e63a8669e72f21b5542c234af87a4217cf0415799cbe9c5e1
-
SHA512
27ce1fc0a872ec06fd8cc5ca9d8da3dda05988a887e29b14066648fb855b8977169dca0e0c585c7516359ce10321787de57a682da39eed347f1cdbd922da254e
Static task
static1
Behavioral task
behavioral1
Sample
BL.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
BL.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
xloader
2.5
bs8f
atmospheraglobal.com
dontshootima.com
bestofferusde.club
yourdigitalboss.com
breskizci.com
myarrovacoastwebsite.com
reasclerk.com
efrovida.com
wsmz.net
upneett.com
loefflerforgov.com
noida.info
trndystore.com
arhaldar.online
vivibanca.tech
mykrema.com
vseserialy.online
ridgewayinsua.com
heauxland.com
bestcollegecourses.com
scent-kart.xyz
handyman-prime.com
wrightpurpose.com
hellounio.com
wealthy-link-erp.com
josegal.com
texasdominionrealty.com
hespresso.net
dreamonetnpasumo5.xyz
videosmind.com
abbawaalema.quest
esmtoluca.com
2382108759.com
akbastionoffilamentousfungi.com
electramanpower.com
siguealpanda.com
alquilerfurgon.com
3-little-pigs.com
esolutions4u.com
thatgolfer.com
biom4rk.com
paramusapartments.com
mothergadgets.com
ktnreport.xyz
amxdrivers.com
buymyhomeallcash.com
lifeisthere.com
nous-citoyens.com
destimarketing.com
lawinepro.com
littlenorwayfarmhouse.com
realworldgb488.rest
qualinorm.com
capitaltechcorp.com
familybeautifull.com
continentaldeal.com
scratchforce.com
veganbreathing.com
hickoryfalls-pm.com
pascal-rocha.com
20kretirementplan.biz
lehome.store
hellanatural.com
hnythao.com
gnizdo.online
Targets
-
-
Target
BL.xlsx
-
Size
289KB
-
MD5
b8e9f95d4fa7c45a88a676e7bb3fc9ae
-
SHA1
acc6e22cbca2be6226fbddd46ce1ae8304f4f996
-
SHA256
a5710d566d75764e63a8669e72f21b5542c234af87a4217cf0415799cbe9c5e1
-
SHA512
27ce1fc0a872ec06fd8cc5ca9d8da3dda05988a887e29b14066648fb855b8977169dca0e0c585c7516359ce10321787de57a682da39eed347f1cdbd922da254e
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-