General
-
Target
OVGSGNLTK982022 TDR IRIS MIKO 19S.xlsx
-
Size
176KB
-
Sample
220705-mesnmsgbcr
-
MD5
412a8c592355ec728eb128d77a1824cf
-
SHA1
76a6c61631edb07a0663ab214a57628f460e67fd
-
SHA256
9d4afb06bbe9a89173e3bdf8b5b8472e52d87c7ca44468d3a5d4681d88bec129
-
SHA512
8cd985bc5c8061ae1f5b04fade9478ef02125649869027030b4879c68255f7e4376cbdf651497052014562274453609948661e3917338ef6d1b7e1fffe6e6e25
Static task
static1
Behavioral task
behavioral1
Sample
OVGSGNLTK982022 TDR IRIS MIKO 19S.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
OVGSGNLTK982022 TDR IRIS MIKO 19S.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
xloader
2.6
a2es
glutenfreebahrain.com
sportrid.com
js-films.com
cie-revolver.com
outsourcinginstitutebd.com
roboticsdatascience.com
tebrunk.com
needgreatwork.com
df1b8j2iwbl33n.life
voluum-training.com
cherna-roza.com
xiyouap.com
bluefiftyfoundation.com
angolettomc.com
yhcp225.com
keondredejawn.com
ifeelsilky.com
coraorganizing.com
smartmindstutorials.com
tanphucuong.info
cxy.cool
criatorioimperial.online
timelyzer.com
chounvwd.com
taxidrivertrading.com
vooyage.xyz
mbtq.financial
tmshop.ma
newexmag.com
wildblumebmd.com
faucetvddw.club
sexism.info
precisionspinecolorado.com
jmigy.com
theplayhouse88.com
theskinrevive.com
envisionexpereience.com
matuschekandcompany.com
zouyuting.com
loansbill-pay.website
albertoalaniz.space
elfstore.net
klapia.online
panxiaozhi.net
soprodutosgeniais.com
amstorex.com
tiktokrycy41.xyz
datisbrick.com
hotelnoucanguillem.com
prekkr.com
jensenko.com
spiritualteashop.com
cyberdyne.world
0xauetw0ye50f.xyz
berendsit.com
kalycollcwn.info
tonenusdt.xyz
ckhla.com
igralki.com
princesskinnymixers.com
tvmountinstallguy.com
choicegoodsshop.com
diamont-services.com
mideazhiyou.com
katescakesandcreations.com
Targets
-
-
Target
OVGSGNLTK982022 TDR IRIS MIKO 19S.xlsx
-
Size
176KB
-
MD5
412a8c592355ec728eb128d77a1824cf
-
SHA1
76a6c61631edb07a0663ab214a57628f460e67fd
-
SHA256
9d4afb06bbe9a89173e3bdf8b5b8472e52d87c7ca44468d3a5d4681d88bec129
-
SHA512
8cd985bc5c8061ae1f5b04fade9478ef02125649869027030b4879c68255f7e4376cbdf651497052014562274453609948661e3917338ef6d1b7e1fffe6e6e25
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-