General
-
Target
payment advice_mt103645367.exe
-
Size
156KB
-
Sample
210415-3aga2dk2ys
-
MD5
e4f3fd2e517743504817b7c3e2032de3
-
SHA1
b42b6607bef7562a38a55b1d74fbb6e5d91f8fcf
-
SHA256
08673c97c9a0e20536ce90e162e7da11dde8d4bfc4c01cabe7d3baeafaf449e6
-
SHA512
b5cfc38957afef0641a7da98b9d48a5af2f25bc06a4d33865a0204e788902f4ad1e57efb3c34a5ae970bf3fa03eeddb084707ef4fb2b97f0c3ba908c53092822
Static task
static1
Behavioral task
behavioral1
Sample
payment advice_mt103645367.exe
Resource
win7v20210410
Malware Config
Extracted
xloader
2.3
http://www.healthpro.info/hwad/
atracion.digital
abiraron.com
pamelaklein.com
ailingboli.com
stclandhome.com
lowcarbindulgence.com
comedytournaments.com
hervis.academy
votestevecody.com
medsdiscount.cloud
pagenstechers.com
itagamescraft.net
321duang.com
digitalmarketingjobsworld.com
spsxhstar.com
yhnbgtr.com
018fee1.com
weixiang168.com
modernlifestylejournal.com
nathapatilgroup.com
crevelli.com
dimeoohnique.com
wikihighlight.com
yetisotomotiv.com
nobleclothingstore.com
927703.com
2251ferndell.com
trackgram.net
bbsunglasses.com
sk202.com
shqundu.com
andersonandassociatesfirm.world
edmcpng.com
luxxebloomy.net
229215.com
royalbranchhomes.com
xinjizf.com
distributecourt.com
peacefulprotests.website
sumernight.com
mybosscoffee.com
kuppers.info
presentfocus.life
fxbplus.com
todayshomily.com
craicing.com
condomon.com
stopreflujo.com
truebanditclothing.com
miaosenmy.com
aco-tabi.com
jinling.love
jobjiihnn.club
shopzoning.com
corridordaily.com
revistaentropica.com
bajavinofest.com
wurmo.com
reviewsbeforebuying.com
bodi-massazh-dlya-muzhchin.site
keystonenation.com
odpuertorico.com
consciouscommune.com
omr-omr.com
Targets
-
-
Target
payment advice_mt103645367.exe
-
Size
156KB
-
MD5
e4f3fd2e517743504817b7c3e2032de3
-
SHA1
b42b6607bef7562a38a55b1d74fbb6e5d91f8fcf
-
SHA256
08673c97c9a0e20536ce90e162e7da11dde8d4bfc4c01cabe7d3baeafaf449e6
-
SHA512
b5cfc38957afef0641a7da98b9d48a5af2f25bc06a4d33865a0204e788902f4ad1e57efb3c34a5ae970bf3fa03eeddb084707ef4fb2b97f0c3ba908c53092822
-
Guloader Payload
-
Xloader Payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-