General
-
Target
192.3.239.22_-_9000_-_document_invoice.doc___553058583012117df3bb047a83ec6129.dat
-
Size
20KB
-
Sample
220607-ktd3pacgf6
-
MD5
553058583012117df3bb047a83ec6129
-
SHA1
17c62c4a4580d55cac9cdd1ff6e01ea5fd9ef055
-
SHA256
c7481ac4056524a4d60818692659188ff784c7f1f5a7333238ed08595a149add
-
SHA512
3b6ac6e1ccca523e1929353dfff426bb93cd2c441a8f2da248637904f8c51f59318537704e915fcfd71bd2fa53b29546002cd7c0d58ff619cbf1928ad577a4c9
Static task
static1
Behavioral task
behavioral1
Sample
192.3.239.22_-_9000_-_document_invoice.doc___553058583012117df3bb047a83ec6129.rtf
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
192.3.239.22_-_9000_-_document_invoice.doc___553058583012117df3bb047a83ec6129.rtf
Resource
win10v2004-20220414-en
Malware Config
Extracted
xloader
2.6
be4o
laboratoriobioixcha.com
tictocperushop.online
wild-oceans.com
belaruscountry.com
kicktmall.com
fitcoinweb.tech
mores.one
gogear.one
gxrcksy.com
samrcq.com
impossible-icecream.com
bravesxx.com
bookchainart.com
sleepsolutionsofmboro.com
ocbrazilbusinessclub.com
advisor76.xyz
xitaotech.com
mgsdtytifgf3414.xyz
johnson-brown.net
cr3drt.com
virtualtourpro.store
transporteriocristal.com
fjbingjiang.com
minecraftrojectx.site
ttrcb.com
sexlarab.com
cxzczc2.online
doorsmm.com
weisbergiegal.com
skythinks.com
schoolsuperaty.com
swampbucketkids.com
networklogicsa.com
businessevs.com
gulfcoastclinicchiro.com
milliards.xyz
moviesquery.com
cycletostack.com
c0wkvo.com
inkingthings.net
cookvillecampgroundvt.com
rajeshprinters.com
binge-bane.biz
ginger9632-voice.cloud
1nfo-post.com
unta.xyz
liuhumu.com
khandaia.info
ha01qnscvts0l.xyz
liert.site
allflowmedia.com
6ibnuj9t.xyz
embravewise.com
responsabilities.com
apexges.com
ola-speechtherapy.com
pristinefarmlands.com
adaraateristiayote.store
journeyhomemeditation.com
96238.top
nosipokip.site
itt-service.com
bw590jumpb.xyz
relieveyourdog.com
qiyeweiiliaoo0428.com
Targets
-
-
Target
192.3.239.22_-_9000_-_document_invoice.doc___553058583012117df3bb047a83ec6129.dat
-
Size
20KB
-
MD5
553058583012117df3bb047a83ec6129
-
SHA1
17c62c4a4580d55cac9cdd1ff6e01ea5fd9ef055
-
SHA256
c7481ac4056524a4d60818692659188ff784c7f1f5a7333238ed08595a149add
-
SHA512
3b6ac6e1ccca523e1929353dfff426bb93cd2c441a8f2da248637904f8c51f59318537704e915fcfd71bd2fa53b29546002cd7c0d58ff619cbf1928ad577a4c9
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-