General
-
Target
Darko doo Ponuda.xlsx
-
Size
208KB
-
Sample
220510-ln6q7abbhl
-
MD5
2cb3dc55d935fa041cc469463236c7d4
-
SHA1
ebaa2a6e8eb071847808e233c706ce78725ecad1
-
SHA256
9386ac01c50cc2486dd0decec3706823b016adfba3cff50ffda5ed2ddd7f52c7
-
SHA512
db8f57ed860f14825aa1949969473b7d6d7413b3af6afb01e32a40077b96d40d186ee6300fc8a26591f73076c4cee0c8914c56bd0273e48eed507dd5c398c566
Static task
static1
Behavioral task
behavioral1
Sample
Darko doo Ponuda.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Darko doo Ponuda.xlsx
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypted.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
decrypted.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
xloader
2.6
arh2
hstorc.com
blackountry.com
dhrbakery.com
dezhouofit.com
defipayout.xyz
ginas4t.com
byzbh63.xyz
qrcrashview.com
mialibaby.com
enhaut.net
samainnova.com
yashveerresort.com
delfos.online
dungcumay.com
lj-counseling.net
fliptheswitch.pro
padogbitelawyer.com
aticarev.com
sederino.site
bestplansforpets-japan3.life
radicallysimplesupps.com
sandbagmaker.com
misdcf.xyz
nbpz.xyz
floridasunbreaks.com
justfinishesofcolorado.com
homemethtestkit.com
chaquetashapticas.com
zodiactshirt.com
tees.email
zxzx999.com
tempepdf.com
watchusroll.com
parotacenter.com
assistcourse.online
paulstilingroup.com
cnbcfx.com
mooncore.xyz
laplugnation.com
gosti24.com
cthomassolutions.com
rkhubs.com
aboutpier.com
multimediaroomandboard.com
iamparrot.com
wifitest.info
nounworld.com
xpartner.biz
128grandviewdrivenewportnsw.com
bakiin.com
suitcell.com
onehitgamerstudios.com
bathingsuitsshoppingus.com
wingstarifa.com
ccasudqi.com
epiconscious.com
ponponshoes.com
cicom.tech
safetynetinc.net
recanto.xyz
sellsidelite.net
kevmoinesproperties.com
hdwallpaperpics.life
57gznfw.xyz
abtys6.online
Targets
-
-
Target
Darko doo Ponuda.xlsx
-
Size
208KB
-
MD5
2cb3dc55d935fa041cc469463236c7d4
-
SHA1
ebaa2a6e8eb071847808e233c706ce78725ecad1
-
SHA256
9386ac01c50cc2486dd0decec3706823b016adfba3cff50ffda5ed2ddd7f52c7
-
SHA512
db8f57ed860f14825aa1949969473b7d6d7413b3af6afb01e32a40077b96d40d186ee6300fc8a26591f73076c4cee0c8914c56bd0273e48eed507dd5c398c566
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
-
-
Target
decrypted
-
Size
201KB
-
MD5
e3506e12375a78e25c3928281dd19102
-
SHA1
94661f72f88800f105b413d7c93f9dc0a539f449
-
SHA256
16810206b9173b8f136c97f9d73fa19570aa14c697161774b1082fbd42a0a611
-
SHA512
083de22c84ea7ce61eddb0a5cbc7ecf2340dd708552a942713f991dd3a3a60c659ade36f9ed03bf657e707b7f275d1c6116427e5ca9d733a35cb99eafc7ac659
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-