General
-
Target
Berthing.xlsx
-
Size
131KB
-
Sample
220511-kybhcsgbh9
-
MD5
95b1b15c87f5d6daba1c72e6514a9fc1
-
SHA1
4f05f44baf5d8d3e31dc050c79f1d8703c82e0be
-
SHA256
719ac8462a554ec46d13e7c3b33c39248d546da6e9618edec381656472814352
-
SHA512
bf1f39e08e3baeabc034145b9ec04b56787ee80d9c408d89368b88f6e0a5508e94d3921e1887efd47988f8e0d275530c854095d4d19861221a9cc939776afad4
Static task
static1
Behavioral task
behavioral1
Sample
Berthing.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Berthing.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
xloader
2.5
bs8f
atmospheraglobal.com
dontshootima.com
bestofferusde.club
yourdigitalboss.com
breskizci.com
myarrovacoastwebsite.com
reasclerk.com
efrovida.com
wsmz.net
upneett.com
loefflerforgov.com
noida.info
trndystore.com
arhaldar.online
vivibanca.tech
mykrema.com
vseserialy.online
ridgewayinsua.com
heauxland.com
bestcollegecourses.com
scent-kart.xyz
handyman-prime.com
wrightpurpose.com
hellounio.com
wealthy-link-erp.com
josegal.com
texasdominionrealty.com
hespresso.net
dreamonetnpasumo5.xyz
videosmind.com
abbawaalema.quest
esmtoluca.com
2382108759.com
akbastionoffilamentousfungi.com
electramanpower.com
siguealpanda.com
alquilerfurgon.com
3-little-pigs.com
esolutions4u.com
thatgolfer.com
biom4rk.com
paramusapartments.com
mothergadgets.com
ktnreport.xyz
amxdrivers.com
buymyhomeallcash.com
lifeisthere.com
nous-citoyens.com
destimarketing.com
lawinepro.com
littlenorwayfarmhouse.com
realworldgb488.rest
qualinorm.com
capitaltechcorp.com
familybeautifull.com
continentaldeal.com
scratchforce.com
veganbreathing.com
hickoryfalls-pm.com
pascal-rocha.com
20kretirementplan.biz
lehome.store
hellanatural.com
hnythao.com
gnizdo.online
Targets
-
-
Target
Berthing.xlsx
-
Size
131KB
-
MD5
95b1b15c87f5d6daba1c72e6514a9fc1
-
SHA1
4f05f44baf5d8d3e31dc050c79f1d8703c82e0be
-
SHA256
719ac8462a554ec46d13e7c3b33c39248d546da6e9618edec381656472814352
-
SHA512
bf1f39e08e3baeabc034145b9ec04b56787ee80d9c408d89368b88f6e0a5508e94d3921e1887efd47988f8e0d275530c854095d4d19861221a9cc939776afad4
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-