General
-
Target
FACTURA.xlsx
-
Size
80KB
-
Sample
220621-pea5psddcq
-
MD5
54471ddd206fafeba1c73948f48ef258
-
SHA1
2f59811f4afcef21b532358025d5a355387530d4
-
SHA256
16ea528e9912bfca30351fb41ecd54eceab33f52d011c9b68f34d122c71980ec
-
SHA512
c7420e2b986cc61dba7b2e94394616f258a099b297dd3148f216e20d580801415b29bace9af178561a80d9c4bb38e5c421fce471c5ee54adc91b6c868775166b
Static task
static1
Behavioral task
behavioral1
Sample
FACTURA.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
FACTURA.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
xloader
2.6
ta3t
breathdiagnostic.com
demo.gmbh
123y8.com
indianscoutrogue.com
jesusfiredept.com
x2-ape.net
lizuofangart.com
nerdsformula.com
pipstrips.com
overyonderhenly.com
botanicuochi.com
roomol.com
ard3ns.xyz
qbconsultancy.com
myromanticfactory.com
nailcolorgordonrdwilmington.com
3nigma.xyz
fsjjzssj.com
bigskytravel.net
musecoils.com
ayagalery.com
mandawali.com
dakotalinelodgellc.com
facilcad.com
jethub.pro
kaleidosystems.com
cryptomancer.net
imperfectaliens.com
mh-life.com
bossesnowparks.com
amigacorporation.com
bradleyhomeandyard.com
luck758.xyz
haizideliwu.com
sophiacc.com
vcsempreelu.online
shopcaseo.com
ecovillagepapagayo.com
autorespekt.com
highcountrybudz.com
agora-biodiversitaet.net
click-tokens.com
underhull.com
jpmcreative.us
nthbs.com
gabbysthriftstore.com
lebombomart.com
flowflowstudio.com
elliottconstructions.online
lavivabet361.com
xn--49sw99bt70acma1l.com
allegraronda.com
nftre3.com
steaksandribs.com
distributiontoearn.com
cflb.xyz
ratherhugecases.rest
accuweat.com
pamcasso.com
dukmas.com
scascensiongroup.com
yongfadianzi.com
smilebird.xyz
kenkodaizi.com
holly22.com
Targets
-
-
Target
FACTURA.xlsx
-
Size
80KB
-
MD5
54471ddd206fafeba1c73948f48ef258
-
SHA1
2f59811f4afcef21b532358025d5a355387530d4
-
SHA256
16ea528e9912bfca30351fb41ecd54eceab33f52d011c9b68f34d122c71980ec
-
SHA512
c7420e2b986cc61dba7b2e94394616f258a099b297dd3148f216e20d580801415b29bace9af178561a80d9c4bb38e5c421fce471c5ee54adc91b6c868775166b
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-