General
-
Target
INVOICE2.zip
-
Size
654KB
-
Sample
210723-vlycrkjyb6
-
MD5
da16592a22c527135a175576d1c17cc8
-
SHA1
daf5e14f00a499f9f34f6a85c89018d6ed8bca9d
-
SHA256
f9d4ff7b7962e68fd87afb61c2167118babe134c63fd6760f387bec880bb4f23
-
SHA512
fe35c47c5e4ea7ff08e3c5b5071c61105dab18110a49248778fb5b9eab3cd9a95d6613539e1dc26c328b466f12eb8c404a02c88660bc969e2b9af4a48980b39a
Static task
static1
Malware Config
Extracted
xloader
2.3
http://www.celebritymist.com/f4ut/
studiokventura.com
rmnslashes.com
oklahomapropertybuyersllc.com
pmfce.net
yingkuncy.com
theailearning.com
artistic1cleaning.com
shqinyue.com
dentaldunya.com
karatuhotel.com
renttoownhomephoenix.com
0087wt.com
hotelsearchkwnet.com
dentavangart.com
98700l.com
seattleproducecompany.com
magicparadigm.com
cunix88.com
vr646.com
calmonleiloes.com
wuzhixuan.net
japhetsaysautomate.com
coolsday.com
17wsf.net
miami-dolphins.club
hypercars24.com
realdealryan.com
xboxscuf.com
thehawaiirealestateguy.com
upscalesociete.com
divyendujha.com
itapooloseoje.com
thesublimationsuperstore.com
artiflair.net
cunha.club
frichickspk.com
postworldwide.com
xn--vinkleskab-3cb.info
kimmchidesign.com
asapinclink.com
vidacsa.com
caspian24.com
nirvananailzplusnailsbymona.com
supng.com
seed.realty
grapheneventures.net
wondershareuniconverter.com
lngstorage.net
swiftsymphony.com
khgf.net
revendas.online
danisdiet.com
reenelectric.com
blacksheepmountaingourmet.com
mitrakemas.com
shadingconsultancy.com
walbrealtor.com
kantiemedicare.net
donatetomikepompeo.com
peiqifei.com
divinehoneybeauty.com
alruha.com
c2eat.com
cherylhuff.com
Targets
-
-
Target
PAYMENT.exe
-
Size
1.1MB
-
MD5
d639a70d7bb8cd136bc920a15ac2a5fa
-
SHA1
4ca0f11ba335654fe8d7dfab478202eb3d90e337
-
SHA256
d3e580c4794a5e5e50f2334e3ecba635ed049952c30be08f283a72e299f64f8b
-
SHA512
9a5c45f99c7e02a6965f413c3df9ca6408c24e0bfb934595199a04f899ce4bb02cfd3288b845cf20dc664476a889dc32c5f7571f07acdac93aca3308a157759e
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Suspicious use of SetThreadContext
-