General
-
Target
PURCHASE ORDER INQUIRY.zip
-
Size
861KB
-
Sample
220930-sn1y9sdhg7
-
MD5
e5d77e2a170a4bd3d050b7b3596de535
-
SHA1
cae3584e5716702649859745d43a9b258cf5a264
-
SHA256
bde0b375d6dabfcbb9f4b193eebd264caa732b1a2ae55956b20ab6d3369a8043
-
SHA512
7d95f3154bbf07504f9a56b56c99507e7d5a2439b37a36a2f5ea68709b5ed5fc37eeecbd1bfd0c1b813f038f9bdea4ea47e776943c8b589c31c02f626aefdeee
-
SSDEEP
12288:aQmp2Gs1TJUUtvmzl/Tf7is2K4RHx9dA0fmK3Xldb/PaTLyVD+avEyvkhVIpTkwm:aQaOtJUUtaBGpRj1mw1N/PAuVzdMoTkF
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER_xslx.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
PURCHASE ORDER_xslx.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
Purchase Order Specifications.pdf
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
Purchase Order Specifications.pdf
Resource
win10v2004-20220812-en
Malware Config
Extracted
Family |
formbook |
Campaign |
h96v |
Decoy |
EwxgE1pivQP6//NV 0dAX4C50bNv1eSQMIJi5LyHB MeT76rbcPZc/yHnyH3y5LyHB xLgAAfCooAj6//NV TyNe4jJrUZ3GfXQ= LSSBXyM/8F5RO80mPJTN 1dUXAcD2nqhHtQ== zQpE/r0sY8j5 tZjyrh1ZHZkUxjernQ== DbzRUxm1nqhHtQ== fk9WTDLOsA76//NV u3SEf3z4IqInrA== mZjmpBQ89HIAxjernQ== F+Iq1S5Muf/6//NV n1luGnqM9RSED7wlW6a5LyHB 1c0OFw3BtT0wp087iolUJ84Lna7ZC5B8iA== QAwY2iZwWt467O5fduJmY/mTkdIOKd4= kEtWIOiEY/7o1Id4pPg= ENPizKc5HY3UeD6h5l3A7kmXWQ== 3/Mw/pFqGZb5 ArnHzb4sY8j5 9KKrXgpIrsI8Hxd+zsodEw== 4sMJCdtwTbHBQPDlHmZO7kmXWQ== sXh6K+1tygj6//NV 25+ssbAsY8j5 +vw3NSXSj71rIR75Vpn2Dg== /vhA+GamjOasUPluorowGQ== yYSYkmKEQNL6//NV RUh+UwumnqhHtQ== WFWgUq7ziOQdtoDpUaX4JLnMncUO VBod2SZXATod3536RYCZOkvY XRMeA9FbDE2VNeDaEVC97kmXWQ== enzEhPwh3Dxa51iJrfo= ycoWyo5EN5DQbR5G7VXH g4bCjUbiyT4K3NnKF4lxeYndqudYxtY= XnTuOA+3nqhHtQ== QkSIlG6p/y/diI13Zq65LyHB nmx3MH6N8DRoK+R6d+0= 6Yyok1l9K1kV591Z h3DJfvYkj7qVREmmC3R9Z33KBTu/sXg/ 7ai2uatL/UnrYA1zorowGQ== TVCnk3cOvx8vA/rtFHV6rvzLl40= QOn67cpfH2oNzkmymw== sqv6rhdHAuRSvw== lUpNCLI98Dp3Y19ReoOcs7s= wMYGEOhNt7OvouR6d+0= QzB/N5bk3EbgraYH9UzE7kmXWQ== CwVaFmeljeWkTflorqv6AA== jxzTG/bzT02La20= TlOdRaa6KlRY61iJrfo= g0A//7ksY8j5 kI7jgT/v6Fgn//DPJYb896j2dOG8SQ== 8KWiXsbmSpiAMfJnwfI= RgMBxRRMMKkXxjernQ== c3C7Y9kMoQn6//NV QfgB7MgSdVxC9+/H0w/oClHMncUO 3ZWqlVqHQ9L6//NV 8gFGTCLBqSm1Rv8mPJTN Ec7Yv36nE3IWxjernQ== 3bwPt3oXxOqhQvkmPJTN 7KW+YMTWMoxdIiIRTJBsqfzLl40= Htzi3L8JdaZNCAcDSrCkqtAhYazM9somig== gCw5Jxpr0gu1c3FVe4Ocs7s= 9/lG922pCWVNGhMForowGQ== fabstaging.xyz |
Extracted
Family |
xloader |
Version |
3.5 |
Campaign |
h96v |
Decoy |
EwxgE1pivQP6//NV 0dAX4C50bNv1eSQMIJi5LyHB MeT76rbcPZc/yHnyH3y5LyHB xLgAAfCooAj6//NV TyNe4jJrUZ3GfXQ= LSSBXyM/8F5RO80mPJTN 1dUXAcD2nqhHtQ== zQpE/r0sY8j5 tZjyrh1ZHZkUxjernQ== DbzRUxm1nqhHtQ== fk9WTDLOsA76//NV u3SEf3z4IqInrA== mZjmpBQ89HIAxjernQ== F+Iq1S5Muf/6//NV n1luGnqM9RSED7wlW6a5LyHB 1c0OFw3BtT0wp087iolUJ84Lna7ZC5B8iA== QAwY2iZwWt467O5fduJmY/mTkdIOKd4= kEtWIOiEY/7o1Id4pPg= ENPizKc5HY3UeD6h5l3A7kmXWQ== 3/Mw/pFqGZb5 ArnHzb4sY8j5 9KKrXgpIrsI8Hxd+zsodEw== 4sMJCdtwTbHBQPDlHmZO7kmXWQ== sXh6K+1tygj6//NV 25+ssbAsY8j5 +vw3NSXSj71rIR75Vpn2Dg== /vhA+GamjOasUPluorowGQ== yYSYkmKEQNL6//NV RUh+UwumnqhHtQ== WFWgUq7ziOQdtoDpUaX4JLnMncUO VBod2SZXATod3536RYCZOkvY XRMeA9FbDE2VNeDaEVC97kmXWQ== enzEhPwh3Dxa51iJrfo= ycoWyo5EN5DQbR5G7VXH g4bCjUbiyT4K3NnKF4lxeYndqudYxtY= XnTuOA+3nqhHtQ== QkSIlG6p/y/diI13Zq65LyHB nmx3MH6N8DRoK+R6d+0= 6Yyok1l9K1kV591Z h3DJfvYkj7qVREmmC3R9Z33KBTu/sXg/ 7ai2uatL/UnrYA1zorowGQ== TVCnk3cOvx8vA/rtFHV6rvzLl40= QOn67cpfH2oNzkmymw== sqv6rhdHAuRSvw== lUpNCLI98Dp3Y19ReoOcs7s= wMYGEOhNt7OvouR6d+0= QzB/N5bk3EbgraYH9UzE7kmXWQ== CwVaFmeljeWkTflorqv6AA== jxzTG/bzT02La20= TlOdRaa6KlRY61iJrfo= g0A//7ksY8j5 kI7jgT/v6Fgn//DPJYb896j2dOG8SQ== 8KWiXsbmSpiAMfJnwfI= RgMBxRRMMKkXxjernQ== c3C7Y9kMoQn6//NV QfgB7MgSdVxC9+/H0w/oClHMncUO 3ZWqlVqHQ9L6//NV 8gFGTCLBqSm1Rv8mPJTN Ec7Yv36nE3IWxjernQ== 3bwPt3oXxOqhQvkmPJTN 7KW+YMTWMoxdIiIRTJBsqfzLl40= Htzi3L8JdaZNCAcDSrCkqtAhYazM9somig== gCw5Jxpr0gu1c3FVe4Ocs7s= 9/lG922pCWVNGhMForowGQ== fabstaging.xyz |
Targets
-
-
Target
PURCHASE ORDER_xslx.exe
-
Size
1MB
-
MD5
29ddf9bc83a82aa5a5c130e634190270
-
SHA1
cc28d16ec623eb5ecdc42508205e015708a07f25
-
SHA256
02f48efdcdc0eb31789fd2c571acbc10c5e5fc337d3b01ce1d442784646c43d8
-
SHA512
e59f1efc9ca57355cb2707aee59eaaee3ac6d96fd36f8520e3200203d79f0f39756d019843227ad7bc60f6ddb38b00ba12fb78ebdd6e558831531440fe920db5
-
SSDEEP
24576:tp/pB0n0Kf2fRjRowjP/PwYVBLoglhppppppp:tp/pmnZfcjj3oOCglhppppppp
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
Purchase Order Specifications.pdf
-
Size
2KB
-
MD5
c9abaff60d8aa3558f28cac7cd67bafe
-
SHA1
aea285af089a32d6b34ca1213c39d1cc228e789c
-
SHA256
13146e94eb84297749c9d894ca8bee1e3b394a26c77e3f8414992dcece9cdb91
-
SHA512
10c1bf863b6b4199d57b975b0197893297c68c035f14a07d0ee1ebbe4ae4f0b46d2d5aed7a3d7e1ae81e325caa4b0a2b173857c485fa919eba78224b0a639936
Score1/10 -
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation