General
-
Target
Advised Original Copy.exe
-
Size
116KB
-
Sample
210504-wrxm72s1g6
-
MD5
c7204a082507c549863ff363ea3c087c
-
SHA1
aab2be6081caa29574b359933e908a47418e6e22
-
SHA256
de69ed8e2b3ba6de15b3f28b802725d41241e5b6d6717e522a2b53db860a1efb
-
SHA512
d7a0b3aa53072297d92323f262851c1e93eeab0fd74f5628c9bba803ec1452ee584ea2907e5c0ee542cb36997e87ce2db1600e725f5847724c6678dd24b8476d
Static task
static1
Behavioral task
behavioral1
Sample
Advised Original Copy.exe
Resource
win7v20210410
Malware Config
Extracted
xloader
2.3
http://www.innovativevan.com/i8be/
cdymjim.icu
globalmilitaryaircraft.com
slusheestore.com
freepdfconvert.net
itadsweden.com
legenddocs.com
metholyptus.com
966cm.com
mobilitygloves-protect.com
travaze.net
go-kalisa.com
believehavefaith.com
nywebhost.com
semitsol.com
wowyuu.net
cochesb2b.com
gobesttobuy.com
senmec23.com
bmsgw.com
newazenterprise.com
onlinefitnessmechanic.com
makeournationsafeagain.com
climat2020.com
hamsikoysutlaci.net
networkslice.com
wanganwanderer1.com
nationwidesignage.com
lucianmediazone.com
geekyweel.com
hzky888.com
mcfarlaneweb.com
c-w3.com
covidstracking.com
flowingwealth.com
sprinklesglobal.com
secret-mall.com
extraclasss.com
stasiapl.com
1905vintage.com
8649gb.com
brisketbeard.com
optionsafecode.com
foms4om.com
differentquartz.info
freshly.pizza
levettfyneralhome.com
leteeshirtboutique.com
creativesdanfe.com
t-oils.com
seoforamz.com
carbon2algae.com
kronospros.com
storepisode.com
viautong30.com
weipr.net
mjspizzaandwinghouse.com
e-yzr.com
webcamthing.com
wb917.com
sedentariocero.com
salon-solution.com
solgeneration.com
viviennevaile.com
weightlossbiloxi.com
Targets
-
-
Target
Advised Original Copy.exe
-
Size
116KB
-
MD5
c7204a082507c549863ff363ea3c087c
-
SHA1
aab2be6081caa29574b359933e908a47418e6e22
-
SHA256
de69ed8e2b3ba6de15b3f28b802725d41241e5b6d6717e522a2b53db860a1efb
-
SHA512
d7a0b3aa53072297d92323f262851c1e93eeab0fd74f5628c9bba803ec1452ee584ea2907e5c0ee542cb36997e87ce2db1600e725f5847724c6678dd24b8476d
-
Xloader Payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-