General
-
Target
DL03327INV.xlsx
-
Size
93KB
-
Sample
220514-qcmldscbbn
-
MD5
5b4a67ac532a5d8900b815144f0fb845
-
SHA1
6da306004e084780e9f57f3702a5ec22e72fff6c
-
SHA256
98fc7157dafde651c3ab515663e3a91f034b49175e2e2495c00576c4b8e9e96d
-
SHA512
031659b74d92911a76865b5095e75521e69e322838e8636e66e9e365b5bc5ac270f61b3c4b8831dd7d3e16a7318d4b5b3e4379ae6487e81f1faa8bd9b988164d
Static task
static1
Behavioral task
behavioral1
Sample
DL03327INV.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
DL03327INV.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
xloader
2.6
nc39
bohicaapparel.com
chilliesofwoodstock.com
szcipa.com
nirmalaswagruhafoods.com
orbitas.online
bjvxx.com
atomvpn.site
thecanvacoach.com
thewhitelounge.com
trwebz.xyz
yiwanggkm.com
maggiceden-io.com
kimyanindelisi.online
xn--e02b19uo0j.com
kaola74.top
klcsales.net
renacerdevteam.com
talkmoor.com
seobusinesslistings.com
contractornurd.com
wolksquit.com
hamiltonspringfield.com
skinclash.com
d-web.net
tige03.xyz
thereeldecoy.com
dutyapparel.com
vicentedotorarquitectos.com
bensdrywall.com
domainnetwoks.com
incorrectbenevolence.com
ramvadher.space
dbluvt.xyz
laps-clicks.com
thewattelectric.com
fogpromo.com
ibcfitting.com
get25000today.com
do-hobbies-indoors.com
marmagdistribuciones.com
newworldtongpaihotels.net
3astratford.com
tocarrythemessage.com
57shasha.club
117colgett.com
captainnoclue.com
rapejesus.site
grandas-svoboda.com
apartmentpermis.com
greatco.biz
joneswoodworks.com
lilatoons.com
banalto.com
caycilargida.online
gangez.com
tw-life.net
treasuresofjudaica.com
monin.one
earthdefense.global
troolygood.com
eafc.tech
southcarolinawire.xyz
designstatussupport.com
moorblaque.com
arjimni.com
Targets
-
-
Target
DL03327INV.xlsx
-
Size
93KB
-
MD5
5b4a67ac532a5d8900b815144f0fb845
-
SHA1
6da306004e084780e9f57f3702a5ec22e72fff6c
-
SHA256
98fc7157dafde651c3ab515663e3a91f034b49175e2e2495c00576c4b8e9e96d
-
SHA512
031659b74d92911a76865b5095e75521e69e322838e8636e66e9e365b5bc5ac270f61b3c4b8831dd7d3e16a7318d4b5b3e4379ae6487e81f1faa8bd9b988164d
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-