General
-
Target
LibertyInsuranceCustomerInvoice.doc.xlsx
-
Size
71KB
-
Sample
220621-pea5psffg5
-
MD5
aedfb52791a420327c6a8ce3faa662b3
-
SHA1
9a1815c8af55e41dc83a79c33f37b67048f0b49c
-
SHA256
6104f7a9a6b6aea3bbf732dba31520ed3be11e00126d350106dfdcf62cbc6f45
-
SHA512
73a69ad4c888290ab4ff5c32024d3b82aed5aa317300d43ed0700dbee4dcc88620270ab7be25bfd3c427e5eb2cb94445c217a42cc4c2873f4116c916f84cba2c
Static task
static1
Behavioral task
behavioral1
Sample
LibertyInsuranceCustomerInvoice.doc.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
LibertyInsuranceCustomerInvoice.doc.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
xloader
2.8
uem3
AKGB4wSx6J+2x1WgKQ==
54dc0yNdRnO/FCSAQeL+Tp0=
ZRLkrEHNZ1d1yg==
mubhdcr1EugF/who
GKVThpCZVtY9m+c1Fos=
nkctk6m82Pno8fVf1ydrfAATjEJvRDxWwYwVjxGMIA==
pvFvmLjefiJ5IWvPaWSZKCk4
L7Vhm+sduit68jRIH4k=
hL6j/yJOaBqxEBE=
0ehJg24Ot+O6+glq
fLuQ9QUfvhqxEBE=
kj8Tk+ks8qO0BjegJAVIRvzyF7hxyblXhHMLjxGMIA==
fbEsS1zjAndVOUuKJh2HnGWtnmQg
CrSJBiq9FEgbO3iXjYHq
349o4SvGd6ONa4baf26ZKCk4
f703eo4Wud/r5v9BL+L+Tp0=
OFi0/02FMpps+gg=
+jsvlbdP/aqW1gY=
ZpHdFzM396f6oDRIH4k=
YWfAF3GfNaPzWVnHTTSEkmOtnmQg
CZVBhKgc4grz9fto2R5ov+PcYA==
7JOBHk3nfJhvmds2xB5sv+PcYA==
ZxfuW2XzgG5VX3/LYEWXpIT135I5
FLVgjpulr5/2puIupeL+Tp0=
wQrpacJkFhC6+glq
eL43YoCFp8NkmJr1x6Di
XrYnP0O12ImOcomXjYHq
Y4nnLn4k6BG6+glq
tcuAuSa/Z1d1yg==
duqTGkVfIph60ihDJoP9
ntJBkNh1APjX6z2MXrILFAU8mULObCcbkCxl
oK1fAVYIevDMx1WgKQ==
4RHAYn/5zPjX5OQ/wxFPXdn2UOiBu7TLZovxPk8=
xFImK3mlS+igkqTwgW2ZKCk4
6i6Qm7fZoXbUeLsGuINHwq6v/KUo
TIFJUwbLZ1d1yg==
+ECp5ACQS3FtZniXjYHq
dioIc46oahVpx1WgKQ==
8xzZX4D2xB984N8+peL+Tp0=
bbCVFjQ1Yo16nu4L7bT3Qigw
k8UxU20JoIR3x1WgKQ==
/KJ+3feKkCeC/e0L7bT3Qigw
6BPISWz4tu5/FxdvPRp6v+PcYA==
Gse0Q5Au7CI3QUGIWDdyh1F4wVgldRtI
HEat3ezznTHg/kWkW2aZKCk4
bq909DRQaBqxEBE=
Mz+g7T91JM1SxtUXCwJmbN3jWh7KcygbkCxl
3zi15PV2Z1d1yg==
0e+mJXcsTO5f7jRIH4k=
3h0Wna898hUACw9iOCCDhO6nBgXu+68=
YJP9Q5lcbAVh/0qbJbUOZKp6q20i
QGnY+iHJXHVhsfZlLaz8+0EwoUB5ZV5un7pJhA==
nUErvdhLcw5w9ABkNuL+Tp0=
6pkkaYOFJp+yx1WgKQ==
A52BD1TzBqq9x1WgKQ==
5wWvJTw7Bq0MN3LmPg==
7inwZXWOWtMndMAQ4vsuMA==
QdGHq9HvZ1d1yg==
r1UGS5i3SbL+fojix0O1tJCq7qVi6plUdA==
E8OmGDZb8YY9Yam7nI/z
B01E2BaVNk4hA/9uM+L+Tp0=
wNU6UmQLt9/mQX2hoPEeNQ==
rFU2l6WRWwsOV6+9f90bJpE7aA==
7p1biaA8A6qL0w==
progestionsoftwares.info
Targets
-
-
Target
LibertyInsuranceCustomerInvoice.doc.xlsx
-
Size
71KB
-
MD5
aedfb52791a420327c6a8ce3faa662b3
-
SHA1
9a1815c8af55e41dc83a79c33f37b67048f0b49c
-
SHA256
6104f7a9a6b6aea3bbf732dba31520ed3be11e00126d350106dfdcf62cbc6f45
-
SHA512
73a69ad4c888290ab4ff5c32024d3b82aed5aa317300d43ed0700dbee4dcc88620270ab7be25bfd3c427e5eb2cb94445c217a42cc4c2873f4116c916f84cba2c
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-