General
-
Target
PO No. JTL-009-2021-07.exe
-
Size
842KB
-
Sample
210710-gzbbtka8we
-
MD5
9526eb2eaa158f15a23b8cb9056d2d7e
-
SHA1
fd64972f650ac8f97c021c448fae5136fdc713ac
-
SHA256
79043f2f23a008c67568fd1720f10911cfba7ba8008bd214599c6db49aa39791
-
SHA512
c29686b8ffc2ebc53491274e5ffe0ba820d48c55974340e418dc588fa13dfd19fe875ca4cd1452d0577dce13ccccfb12aa80a532f2ec3bafe740b6439ba8974e
Static task
static1
Behavioral task
behavioral1
Sample
PO No. JTL-009-2021-07.exe
Resource
win7v20210410
Malware Config
Extracted
xloader
2.3
http://www.healthypsn.com/h2eb/
morganhomesnc.com
dwlogitech.com
bismillahbodyoil.com
lilybodacious.com
hangongqiu.com
helpthefam.com
bagladynmore.com
getfreecodes.xyz
robertbrookstowing.com
grohesmartprogram.com
silverpointbc.com
thebeauticrewpodcast.com
realzit.com
gift-shoping.space
m7ymonero.com
poolingadministration.com
77mile.com
blueberriesinmybackpack.com
trau-dich-endlich.com
academyemails.com
aukjznuw.icu
majidamin.com
ziezonee.com
iotmarketshop.com
medicalphysicsfigures4ed.com
rm-excavating.com
yufei365.com
lafloridanoticias.com
lookingthroughtheglass.com
americafightscovid.com
blenderprostore.com
ugcontent.com
isedisposal.com
hedgehoghiker.com
workerinjurycompensation.com
naccparts.com
nuonove.com
usmarketlogic.com
15deerpark.com
voyotech.com
holisticamiga.com
prmsquare.com
tropicalpos.pro
slidefront.net
sushiswap.info
golfwangstore.com
nikishascloset.com
dgl-it.com
bauck-shop.com
biscoiteriasantaterezinha.com
hushmailgmx.com
apsmoneytranfer.online
biewla.com
ankush007.world
equalrightsmotors.com
6966299.com
glamoursdiamond.com
app4drivers.com
buntunm3.com
puracu.com
coffeexe.com
qinuonuo.com
haroopet.com
cyclicarc.com
Targets
-
-
Target
PO No. JTL-009-2021-07.exe
-
Size
842KB
-
MD5
9526eb2eaa158f15a23b8cb9056d2d7e
-
SHA1
fd64972f650ac8f97c021c448fae5136fdc713ac
-
SHA256
79043f2f23a008c67568fd1720f10911cfba7ba8008bd214599c6db49aa39791
-
SHA512
c29686b8ffc2ebc53491274e5ffe0ba820d48c55974340e418dc588fa13dfd19fe875ca4cd1452d0577dce13ccccfb12aa80a532f2ec3bafe740b6439ba8974e
-
Xloader Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext
-