General
-
Target
PAYMENT COPY.exe
-
Size
1.1MB
-
Sample
210920-yr43zshher
-
MD5
dd9dd4dc96b829fb76c94d93549077a3
-
SHA1
ab1b5e44e32b93b10f1697ef407e4e846da30226
-
SHA256
bf335484cc9fdfc68bda67acbe6eab1f65f0f7dd7043b3aff47b47201ca531c5
-
SHA512
e93f9a7258f1645df87976c73aae2b0ece10f9093ce6e28eb6df6e9bc7604df2df1b2d8902604b5c53c4e9684c1da988798ca5da4afb05dddd5c063cb64b5529
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT COPY.exe
Resource
win7-en-20210920
Malware Config
Extracted
xloader
2.5
c2ue
http://www.heidevelop.xyz/c2ue/
isportdata.com
stellarex.energy
hsucollections.com
menuhaisan.com
joe-tzu.com
lumichargemktg.com
uae.tires
rapidcae.com
softwaresystemsolutions.com
s-galaxy.website
daewon-talks.net
northgamesnetwork.com
catalogue-bouyguestele.com
criativanet.com
theseasonalshift.com
actionfoto.online
openmaildoe.com
trashpenguin.com
ennopure.net
azurermine.com
wingkingtong.com
innovativepropsolutions.com
transportesajusco.online
rosenblasts.info
ttsports.store
servpix.com
liveatthebiltmore.com
magentautil.com
aquolly.com
collabsales.com
bredaslo.com
suddisaddu.com
www920011a.com
uudh.info
bleuexpress.com
xivuko.com
upstatehvacpros.com
acami.art
thqahql.com
mauzabe.com
mydrones.net
franciseshun.com
nrrpri.com
adndpanel.xyz
straightcorndinner.xyz
locngrip.com
wgylab.xyz
greenmamba100.com
dmglobalconsult.net
alissanoume.xyz
thecallresources.com
spacesuperslot.com
goodiste.com
mensaheating.xyz
blackbait6.com
keepkalmm.com
kodyhughesracing.com
semantikgis.com
saffoldstrucking.com
ingb.online
popcert.com
tpsynergylab.com
acnefreerx.com
why1314.xyz
Targets
-
-
Target
PAYMENT COPY.exe
-
Size
1.1MB
-
MD5
dd9dd4dc96b829fb76c94d93549077a3
-
SHA1
ab1b5e44e32b93b10f1697ef407e4e846da30226
-
SHA256
bf335484cc9fdfc68bda67acbe6eab1f65f0f7dd7043b3aff47b47201ca531c5
-
SHA512
e93f9a7258f1645df87976c73aae2b0ece10f9093ce6e28eb6df6e9bc7604df2df1b2d8902604b5c53c4e9684c1da988798ca5da4afb05dddd5c063cb64b5529
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-