General
-
Target
PO1286482.xlsx
-
Size
78KB
-
Sample
220621-wmshaabfd7
-
MD5
1122f29208098e9d39655827fe7efbd6
-
SHA1
fca1db5fff0698113d88e70c876a63e630a6ff0e
-
SHA256
756240595bd69e9c3415ff6c49e8703dc2bb54bdaa0d2914ce5e33ab92f51813
-
SHA512
16469a4999250767b4cc4a6df0642fc7215b1d87fd77fb60ae06b32cda06c871b04b63f8b7187cb49faaa331825006118c0308af946f5d38201b430b393a5416
Static task
static1
Behavioral task
behavioral1
Sample
PO1286482.xlsx
Resource
win7-20220414-es
Behavioral task
behavioral2
Sample
PO1286482.xlsx
Resource
win10v2004-20220414-es
Malware Config
Extracted
xloader
2.6
zgtb
gabriellep.com
honghe4.xyz
anisaofrendas.com
happy-tile.com
thesulkies.com
international-ipo.com
tazeco.info
hhhzzz.xyz
vrmonster.xyz
theearthresidencia.com
sportape.xyz
elshadaibaterias.com
koredeiihibi.com
taxtaa.com
globalcityb.com
fxivcama.com
dagsmith.com
elmar-bhp.com
peakice.net
jhcdjewelry.com
moradagroup.tech
luminantentertainment.com
originalfatfrog.com
istanbulbahis239.com
digismart.cloud
egclass.com
video-raamsdonk.online
enjoyhavoc.online
elegantmuka.com
crememeup.store
gasgangllc.com
worldmarketking.com
johnywan.icu
ctxd089.com
vipbuy-my.com
cboelua.com
sitesv.com
7788tiepin.com
unionfound.com
freecrdditreport.com
symmetrya.online
thinoe.com
line-view.com
immobilien-mj.com
alignedmagic.com
mecontaisso.com
plumberbalanced.com
zhouwuxiawu.com
obokbusinessbootcamp.com
chance-lo.com
jujuskiny.com
kkrcrzyz.xyz
daquan168.com
groupeinvictuscorporation.com
leadswebhosting.com
payphelpcenter950851354.info
subvip60.site
ink-desk.com
luminaurascent.com
jivraj9india.com
topproroofer.com
nxteam.net
can-amexico.com
premhub.club
zs-yaoshi.com
Targets
-
-
Target
PO1286482.xlsx
-
Size
78KB
-
MD5
1122f29208098e9d39655827fe7efbd6
-
SHA1
fca1db5fff0698113d88e70c876a63e630a6ff0e
-
SHA256
756240595bd69e9c3415ff6c49e8703dc2bb54bdaa0d2914ce5e33ab92f51813
-
SHA512
16469a4999250767b4cc4a6df0642fc7215b1d87fd77fb60ae06b32cda06c871b04b63f8b7187cb49faaa331825006118c0308af946f5d38201b430b393a5416
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-