General
-
Target
PRS TT copy_pdf.exe
-
Size
297KB
-
Sample
210114-kh6g2wxs9s
-
MD5
c19720396e3a0517b1c3e9c75dcab551
-
SHA1
ceb4ae7e086ebfed538632b9413b7f61c23f6151
-
SHA256
147690957c45aafb5929325a902f5c45e9b3a9845f0c9b273bd1e08f5e327d12
-
SHA512
a16e89c0a6112c1bd0eb75b61337e99ccd68b19b89e6cbbfcc6baa0bcaaffe6cabc209662240d0c929205c67d0ae5822e85b43be5f9d3b7cb62b947b890f00fc
Static task
static1
Behavioral task
behavioral1
Sample
PRS TT copy_pdf.exe
Resource
win7v20201028
Malware Config
Extracted
formbook
http://www.destinny.com/s9zh/
paintedinafrica.com
electrumfix.download
edlange.com
tqiawy.xyz
satiscenter.xyz
nc-affiliates.com
agencybuilderforum.com
testabcde.net
venisseturf.net
rubenvdsande.com
nzmatrimony.com
mdthriftsandflips.com
virtualfxstudio.com
communityinsuranceut.com
qqbokep.com
copeva.net
bookedupdaily.com
houstongrowmyairway.com
fortunapublishing.com
empireplumbingandheating.com
globalefactory.com
alfrednelson.com
kernwide.com
soulwaves.info
iregentos.info
emfirstchoice.com
popvoc.com
clubdeproyectos.com
nathanlaube.net
davaresoon.com
girlsnightoutcollection.net
alchemdiagnostics.com
intlgrowcap.com
northeasttnrentalproperties.com
1971265.com
yobingo.ltd
comunityassn.com
pupupe.com
physicianmedspa.com
forestloretour.com
tauntongo.com
elegancescent.com
traumatotrust.com
blkdenim.com
b-taking.com
naturalhealthadvisery.com
fight-box.com
socia1security.net
prestondelnorteapartments.com
peaclbgju.icu
thegolfclubatcirclec.com
westqueenwestlofts.com
elitedesignzink.com
czpeixun.com
blossomenterpriseuganda.com
danettesgifts.com
psikometriums.com
rainbowbanks.com
deshbari.com
movementspecialistslv.com
amkcar.com
contractorsan.com
onurtel.com
dotalogy.com
Targets
-
-
Target
PRS TT copy_pdf.exe
-
Size
297KB
-
MD5
c19720396e3a0517b1c3e9c75dcab551
-
SHA1
ceb4ae7e086ebfed538632b9413b7f61c23f6151
-
SHA256
147690957c45aafb5929325a902f5c45e9b3a9845f0c9b273bd1e08f5e327d12
-
SHA512
a16e89c0a6112c1bd0eb75b61337e99ccd68b19b89e6cbbfcc6baa0bcaaffe6cabc209662240d0c929205c67d0ae5822e85b43be5f9d3b7cb62b947b890f00fc
-
Xloader Payload
-
Uses the VBS compiler for execution
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-