General
-
Target
Alfa Laval Aalborg AS Overdue Invoice .xlsx
-
Size
69KB
-
Sample
220627-sfkx3scadl
-
MD5
600a82701077aed99add9b55a9d22408
-
SHA1
d548046f0ffab010399a4d77997d667c5f89a9aa
-
SHA256
2a20bbe8c5562c5e602ca21bf5c68433d1bf41f9e126fd3d8450c6a7ca56ffb6
-
SHA512
0f564cd63fae33668b45c4dce887e86834390e53b46686f1c4853973060d2c8544fdc9a2bd0ee747a1d2bbe0094380cff5d9615bc63c7c0ed2338aeba94c7c1a
Static task
static1
Behavioral task
behavioral1
Sample
Alfa Laval Aalborg AS Overdue Invoice .xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Alfa Laval Aalborg AS Overdue Invoice .xlsx
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
decrypted.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
decrypted.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
xloader
2.9
iewb
n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==
5vIAIY+pt81OtWs+FdIEdk7Y
LHIKc+oWGIQUUlfAAtEEdk7Y
ePM/cX2jvHrS
5hvPEw22+fdvmJz3C8FIVq0=
mb9EeX2jvHrS
Dx2zIYNvfjo8VUo5
6jVPnyJekv2RAc4gLKNwEqQ=
KWatHyjdE5Gj1Ng=
t9lk70gzUAZty4qjbVjF
6eUBeFPzKBWT125BFNIEdk7Y
dZUXOIyqTJGj1Ng=
iL3TVh2Jl5QVStnzxcAhIL8=
J1prtyklUfZGR/xDD71IbkWRd2yx
s9FgCOBRW9bU0Y6jbVjF
RYCbQDzcFBhcylgu
Fl0BV/8RJm6F9QRg8LXXTLo=
0dhumHzrCCZ3wdQg7nFF1AlL6Tk=
xvL+iL6wwX+/wH9K4lbZ/A==
N0lVceIFD5Gj1Ng=
5/mnQbHhJ7IzcYjyQbXXTLo=
luHuIKrfNeUkJOfRV0dA8o3Ghkt95g==
yuh2thpBWtHl2ZV48rXXTLo=
ADcuaODkD5eytord4lbZ/A==
PIWRAgq8/zx4aipDyILc
TdUPJBksRZU=
NorCQjrrH5Gj1Ng=
WXUOku0EDZGj1Ng=
4w8mrX8lanCcoWZLU0SkkkSRd2yx
KIYkq/0QN5gPTFK37XszY0fa
s8lIykhdVZjlEA1g8LXXTLo=
AkBw4LE9RQNHkyRsMQ==
fLzVWEjyMarikyRsMQ==
6j1f2ZsFFRpcylgu
zu3YwbBReoIuUh1vdsGonTCDfw==
EGD0PEju53oDSuwu9765d/4KSkXU3Qxh
rc0aZhksRZU=
Un//ZcCsqyaNtEcnt6mLu7Lqdw==
V4Eqwh4FEHqIflW508EYzYSbOeC5
EiWpwJgAFRV5e1r60cAEdk7Y
VW8Pf9PN65HU1otP4lbZ/A==
FFdOyJcMGxpcylgu
KztLpY85vJkLFw==
yh8vtO4GRPQ2kyRsMQ==
qMfrSiqZvghLUyRy/7XXTLo=
eKTGPwmf3swEq2Y3
aoseYSTrlPsvGQ==
Z6tKw0RfgS5+1o6jbVjF
CyU0azDFBZGj1Ng=
7Cy+5co/ZZbhC8dW6eo=
LXmN0EJimQWHylwnbTS6afIlJZHj+Q==
2R2cFWiX1hlZYz2UKh4i12ikiTP55p5Bfg==
jqHcD+eAi5EYlVrJm0TN
cqO55WilyvQ9mG1P4lbZ/A==
BERqtpY6pZDbB8dW6eo=
VpzDHQBueZvY24qjbVjF
OWUELQ6s28NVxom7evrIPfCLfw==
5iO6Dg619fIVQz+Q3I+ZMdmwry4=
d6GiFh7QJaHO2Jxz8bXXTLo=
NlFh6bdVeihxxT1MH+A+TL3MaA==
0PWJHpPJ9zh3nasMO8FIVq0=
19Fom6FBSQ1QrMU=
aYWBmw6431DfHsdW6eo=
Jj7U++2X3M4Eq2Y3
mounscape.com
Targets
-
-
Target
Alfa Laval Aalborg AS Overdue Invoice .xlsx
-
Size
69KB
-
MD5
600a82701077aed99add9b55a9d22408
-
SHA1
d548046f0ffab010399a4d77997d667c5f89a9aa
-
SHA256
2a20bbe8c5562c5e602ca21bf5c68433d1bf41f9e126fd3d8450c6a7ca56ffb6
-
SHA512
0f564cd63fae33668b45c4dce887e86834390e53b46686f1c4853973060d2c8544fdc9a2bd0ee747a1d2bbe0094380cff5d9615bc63c7c0ed2338aeba94c7c1a
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
-
-
Target
decrypted
-
Size
64KB
-
MD5
f47afe6c3e0e23c768f4cb611d98f824
-
SHA1
63fe705d6d6a85117f57af2431f083ba6c472eed
-
SHA256
57c1e1c28a5b553d08d4ab23656d014d8b2e0b071207b516f6db3dd726b575c6
-
SHA512
e4ee26d06dcd59a9362560972fb27f036e95e6872533679cfe1a3e643c60187af18fe63766e0bf8d89c317852ef28db6b19178bf65c0ce07681b3b941227e4ff
Score8/10-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Abuses OpenXML format to download file from external location
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-