General
-
Target
samples.zip
-
Size
60KB
-
Sample
210504-yqd3wj2b9j
-
MD5
365b2c4ceb407b718259bcdb645071f3
-
SHA1
b419e462e61007469718280974b59a487462b033
-
SHA256
e8384166957076efd104eaf0443b1cda502c5d6e3bdc3f0ea4764b5adb77ee16
-
SHA512
1d0cce1c8282892c91d80940e25ce48eef26fac07b551c1b1d58c9273b6ae8c9163fccf4a536c3a2a32aa8201fa1ccdcb9061c49d68379e561d282dd00984a08
Static task
static1
Behavioral task
behavioral1
Sample
Original copies of shipment docs.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
Original copies of shipment docs.exe
Resource
win10v20210408
Behavioral task
behavioral3
Sample
pic05678063.exe
Resource
win7v20210410
Malware Config
Extracted
xloader
2.3
http://www.innovativevan.com/i8be/
cdymjim.icu
globalmilitaryaircraft.com
slusheestore.com
freepdfconvert.net
itadsweden.com
legenddocs.com
metholyptus.com
966cm.com
mobilitygloves-protect.com
travaze.net
go-kalisa.com
believehavefaith.com
nywebhost.com
semitsol.com
wowyuu.net
cochesb2b.com
gobesttobuy.com
senmec23.com
bmsgw.com
newazenterprise.com
onlinefitnessmechanic.com
makeournationsafeagain.com
climat2020.com
hamsikoysutlaci.net
networkslice.com
wanganwanderer1.com
nationwidesignage.com
lucianmediazone.com
geekyweel.com
hzky888.com
mcfarlaneweb.com
c-w3.com
covidstracking.com
flowingwealth.com
sprinklesglobal.com
secret-mall.com
extraclasss.com
stasiapl.com
1905vintage.com
8649gb.com
brisketbeard.com
optionsafecode.com
foms4om.com
differentquartz.info
freshly.pizza
levettfyneralhome.com
leteeshirtboutique.com
creativesdanfe.com
t-oils.com
seoforamz.com
carbon2algae.com
kronospros.com
storepisode.com
viautong30.com
weipr.net
mjspizzaandwinghouse.com
e-yzr.com
webcamthing.com
wb917.com
sedentariocero.com
salon-solution.com
solgeneration.com
viviennevaile.com
weightlossbiloxi.com
Extracted
lokibot
http://manvim.co/fc2/fre.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Targets
-
-
Target
Original copies of shipment docs.exe
-
Size
92KB
-
MD5
8b96af7d76b487cea6aa04f565b8cb9f
-
SHA1
3e904fec3e82c9f01ccc64fbdcde35d306c6147f
-
SHA256
49559dd2c1d9b0841f3384f3080013f8d644760d45ab7cd4fb4928bb2b91f354
-
SHA512
786140d030095ce5c0865c21e049c8572e3ee5ec78eadebb15611a4b0f59bac995a306f14e85cd30506cd7661819d3d6a3fe43e4ac714fceb9e0c0991f171790
-
Xloader Payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Deletes itself
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
-
-
Target
pic05678063.exe
-
Size
92KB
-
MD5
22b022a5547dbc1c9bcfb8e4d7eb440f
-
SHA1
952b628cb42495baf73c468d509f249d55aa7966
-
SHA256
c2544476ab17fd3fb816a97f08f16548a73c106cca80e1f5e185086d25a9f414
-
SHA512
c1a8f88047f91c4ad9b0e916d17f2c32c3fa080208d1eb77cab0ce57bb8594337d324bf99275bca1c5eb89d5dcf5898ccefa9de83efbe9a3beb2369ac6355c76
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-