General
-
Target
1.exe
-
Size
897KB
-
Sample
210420-5ebycpmrc2
-
MD5
536aff0decd8fed875614884ee60688d
-
SHA1
3bcf60af93eea9ea3fc4305ffcf8b9af3f8ba46f
-
SHA256
f59a0b8ff551c6e41c2ba30190d930eb971691d455eaff001a1d0c8fd3995e06
-
SHA512
a160fae81ee3fe41111db4d449f7d0289da2b550dc054d3b841a0a8fef98ba17344f7f8bb77027cb183152b84e236458b4db0daab1e653a38371b938f940c63e
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7v20210410
Malware Config
Extracted
xloader
2.3
http://www.wahaclean.com/8ufh/
obluebaylivemall.com
theherbaldream.com
curtex.info
z6r44wtjyn68d.net
theprincipleofcare.com
acrocollective.net
diewuhuayang.com
vz550.com
emregueray.com
quanangiadinhaxi.com
lnstagramhelpbase.com
citiphoneonline.com
negotiationsdigital.com
cryptosystems.xyz
tzwaihui.com
bahamasjet.com
nyatiexuberancepune.com
lineahomo.com
hortonpecancompany.com
theinnvestorsgroup.com
coloruser.net
thenewrepublican.net
thaipots.com
ahshengyun.com
victoriagrimes.com
zgamingaccessories.com
wazzupstix.com
fixeditomaha.com
vitosdadaykhoe365.asia
nail-junkie.com
womanvirus.com
burnnight.xyz
opticacharly.com
cookiesboxclub.com
open-umbrella.com
dkl88.com
mtvhlnqvv.com
yuukiglobal.com
amarcax.com
throwyourbandsup.com
winkb-uma.net
foodlink-gmbh.com
receitaideal.com
patticrumprealestate.com
callofthewild.care
payscsr.com
careerwisenurse.com
teenageboyfriends.com
hophisit.net
wheremiraclesarethenorm.com
mylifeisrawsome.com
optimisewellness.com
ona-tomo.com
shopkcstore.com
seamosshub.com
leirethebold.com
smokeshowco.net
westcoastuniversityedu.com
finerthings-events.com
leisureeye.com
endocrinologyga.com
neutraltrading.com
istverkauf.com
hidennys.com
Targets
-
-
Target
1.exe
-
Size
897KB
-
MD5
536aff0decd8fed875614884ee60688d
-
SHA1
3bcf60af93eea9ea3fc4305ffcf8b9af3f8ba46f
-
SHA256
f59a0b8ff551c6e41c2ba30190d930eb971691d455eaff001a1d0c8fd3995e06
-
SHA512
a160fae81ee3fe41111db4d449f7d0289da2b550dc054d3b841a0a8fef98ba17344f7f8bb77027cb183152b84e236458b4db0daab1e653a38371b938f940c63e
-
Looks for VirtualBox Guest Additions in registry
-
Xloader Payload
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-