General
-
Target
8.xlsx
-
Size
260KB
-
Sample
220616-qk5f6sfbhn
-
MD5
7b2653d169de8630b50f5370efaf5e10
-
SHA1
2f3f890d6ca60b747b086937f01976891da9ee2a
-
SHA256
f123bc28888e9864f76f3043d6d827f99d76c3ea366a0ea61d1081c941801388
-
SHA512
46b4f452000b6d3931dd85931725fe02b82dcd6fb6dcc0fe3db6e2a195052dee5a863135e64fd6cea76fa484b47135da12efd1f1c6d233b47e12546e8b080fd7
Static task
static1
Behavioral task
behavioral1
Sample
8.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
8.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
xloader
2.8
qm5s
0hik40Q3UhxPsw==
JISUEx3s7xDypTBW
i9pv35p8mq/efPnMnjc1
d4OyCX3u9cQP8Lg=
2BLgZcivstP+
pAC7/mJD57GtLrGkijZAM4GQ
oa5Jvt6QpWLmu4hJ7A==
zQh+7kjKwlHfu4hJ7A==
v7xT2kCqy/QN7sKJtRpBtXbvxmvJiZRxjA==
JR0YYed9qFflu4hJ7A==
ovXuQiQQExpJ43yWMufw6X0FblY+
TJrP8LKDiabXu7dZ8Q==
EWVThU33hz1SKSGFmuk=
U5hFmhXVHoMVpA==
DUAxo4ghz4lpeLBV5Zm2Cnbbzhw3
3EbjPYoyPdZ9SDxzAIvOlUCY
2AGmAHBX0neTLcX9lRt2xUTLiuNcRrw=
dGMClACgFTrpu4hJ7A==
S0XMDQKAN2zzlQ4oz4HOlUCY
IUfZIC6jOFTjvP6U8yd3Mw==
c7jBSz7ljkhl8U74FHZpcsQFblY+
5h9kyJhmh1Twej/dc0OFfkpMSA==
VdWLrJAzyRiAAq8=
IzIzYybUej1MJiGFmuk=
imsqGaMmMdNmBBvZYC0/MqxL7Q9hxpJ9
Ly4rb/NqXu1QSQLQ5A==
IRLRFnxFcTXYVJmOtvQ=
7eugIW3eAb5F2ugXO0TZfzQ=
Oz5AgG9CLsRW5N6Y8yd3Mw==
YqIqUN/Wzdc=
QHwQSwulu8A=
APkJWCsHRNfw
Jm7vbduCo0fZu4hJ7A==
QWQLV0m8RMQP8Lg=
x8QMYlcwRwWROfmpyCU8raXCaP4=
KF6X69WuzI0dqKTaBjY9raXCaP4=
e+DVHQvk24Ew+bpYeO3vCrwnHD5hxpJ9
FGFM6/e2/aS7SA3xiDQ9
N1NinRV6jZ2wQs3deESFfkpMSA==
6yqu3kpclKlKxqKsiuz1ckLNjuNcRrw=
cH4OY9Ws3Zwrj44Q9S0i
9fe41bVODNGutEZV
nMnQBYHt9cQP8Lg=
wPAkeHFccImZZ1GGIrGllzSVTjphxpJ9
XLwzaruvstP+
h65Zpp82yl57MnAjvHzOlUCY
KXj7oJJqaNrtdL0=
VHZ1sS+4uFf8qGkYK0TZfzQ=
HnIGgwnC6qBNHiGFmuk=
OoABbYdVT+6EHCvlc0uGfkpMSA==
jLwElI5BNEtlQChL5onOlUCY
qsbkBcOmxtwCmBIqz4HOlUCY
jpYAD0Y+UhxPsw==
+uwSfxYXHjNkJZQQ9S0i
6fIlnW7lsX8pwdKU8yd3Mw==
BvCPIbinO1uutEZV
hYxK3EfrCbtTztKZ8yd3Mw==
h5GExLaTUwYTivjMnjc1
+ev9X88SHoMVpA==
Q6Qzp+LQ5IEeG6hjgeE=
xcrB61/iHoMVpA==
Dw+wDWhG4KKzYvfMnjc1
RpIimPKbLe8W8Cu3AyJpKg==
GDpl8e7G2vwZN8RahjI9
leviathanfishingco.com
Targets
-
-
Target
8.xlsx
-
Size
260KB
-
MD5
7b2653d169de8630b50f5370efaf5e10
-
SHA1
2f3f890d6ca60b747b086937f01976891da9ee2a
-
SHA256
f123bc28888e9864f76f3043d6d827f99d76c3ea366a0ea61d1081c941801388
-
SHA512
46b4f452000b6d3931dd85931725fe02b82dcd6fb6dcc0fe3db6e2a195052dee5a863135e64fd6cea76fa484b47135da12efd1f1c6d233b47e12546e8b080fd7
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-