General
-
Target
HSBC-SWIFT 05.07.2022.xlsx
-
Size
176KB
-
Sample
220705-pffrksahe5
-
MD5
e5a13d1ba130b94576402fe59bdad693
-
SHA1
7bfc2d69780f44d0db32eb201b80ea161291b097
-
SHA256
db9f80d5e21c4915236c9c0d6081975ee5bac5d92d5ef82b193378f269b42ab2
-
SHA512
53b34e56308248ec65e2fa94500237f97d8a6a789dcf282e8a19bc2ae48cf157648ed6662952decbce241958012020d88b16ab96699d49e6e41a68d65aea7314
Static task
static1
Behavioral task
behavioral1
Sample
HSBC-SWIFT 05.07.2022.xlsx
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
HSBC-SWIFT 05.07.2022.xlsx
Resource
win10v2004-20220414-en
Malware Config
Extracted
xloader
2.9
wfc6
FPF0BDtsP/0Z3N3EpIfSsQ==
wZbFgKkm5jUpFbB+GQ==
I/oJ0Jcb+eoMqQ==
w7zarxxnPcIgupA=
63SbUimyWalvjfJdRb9U
igCt44uCBYeAugeiTMZW
ZHJ4C8BlAvVDAIRo
XJUEKbSv5SVkKdCoWvkuKiQ=
TDPHixX7VMIgupA=
Xt5NdBkHqXeYgHtS6Lik7Sw=
rJKZiOi3mIr7iH5dEQ==
wbheFmd7+XMkt7KALN8A2NcT+npeUP+g
xqk06+lXAT3bemE847ik7Sw=
YS7SndCMWuCAFbB+GQ==
tJ4lxa1kPUfSZ4UiujZGLCQ=
j8gSmNPGzqe6
iQORUvIx0N1glkfomjmZCzmGPbKE/A==
dlD3cvHVcUBqgNrHpIfSsQ==
Sk9cCV2WvRkavg==
70RVeKQWsgOZMyf+0g0zKyM=
ohA2+Np+OXsEkI9kEcH18SFl14w=
ST7zr+vrjluKY0044qtjpaActyK9
CXijyOBe299npm3+ozM=
tphA7dOGMwEL+E4g/LbEqA==
wZY0YPg56DPTpVAowDs=
lGgNzOJX9yWTNZJx
IukdRenq0udDAIRo
/v2eVZ/MuMJDdtCjO7pJmVRGDftzvas62w==
feXz+6MdJRoTzIc=
X1gMxLgjzQqpQh37n0qlSXq5
bvYhjGIj+eoMqQ==
JnygzOBS4RoTzIc=
aE5SgJwPjJMaX+LFadoOYaArpJmB9ps=
ZVoMNsGzYh4uFbB+GQ==
Y/h4es8mfMIgupA=
5LY/YvHhvRkavg==
X9jXctO6Rd0BHIRTCp9Asnl/h7heUP+g
d9naXx+nRMIgupA=
ZEbgr2pZMCg5Kphx
8Fhj8rA21BCbyA6tjcV5uQ==
mZAZqt/JZStIYMZdRb9U
VU1PAFiTvRkavg==
d8b+wmHKSk3UFZ5zCY95/DM=
mJKsYw+CInX2XW3+ozM=
nOcOwY8W+eoMqQ==
4tyXN3eC9m8RnZFiC7v38SFl14w=
CYB9GOdpC1YDULZdRb9U
vCtZAF6ROnP6g4JS47ik7Sw=
qn4l0rBZCNb49n1A4rik7Sw=
8jY5Oo2TMPEYScRdRb9U
uLhFDueWOXGt
cPqn2X1t8bDiAHBC4FelSXq5
RC5DCM9m6vyHvkgZtU01q04hqs5v8A==
Lg22bRP9zNJG30QOwll3qyFl14w=
9PLzES2aQZcTfVoz4bik7Sw=
LaLYmAfLUFr4ULpdRb9U
+3D9DY7joOWGGQTqmkqlSXq5
v4VAbfsSO/JDAIRo
Pkbwmo1bGvRDAIRo
bMTnAuajbyg18OfCpIfSsQ==
XqzQnn/+pQGhCdu2YRRQoCFl14w=
aWd4kIAzHy2TNZJx
mY5/lIo95Zu4Y0rXud+C8TU=
8AAvYXM4BuUB5D0q/LbEqA==
ssdunlimited.com
Targets
-
-
Target
HSBC-SWIFT 05.07.2022.xlsx
-
Size
176KB
-
MD5
e5a13d1ba130b94576402fe59bdad693
-
SHA1
7bfc2d69780f44d0db32eb201b80ea161291b097
-
SHA256
db9f80d5e21c4915236c9c0d6081975ee5bac5d92d5ef82b193378f269b42ab2
-
SHA512
53b34e56308248ec65e2fa94500237f97d8a6a789dcf282e8a19bc2ae48cf157648ed6662952decbce241958012020d88b16ab96699d49e6e41a68d65aea7314
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
suricata: ET MALWARE MSIL/GenKryptik.FQRH Download Request
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Xloader Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-