General
-
Target
DOC09178236_20210922.cab
-
Size
552KB
-
Sample
210924-jc4fksgccn
-
MD5
02d6a3b0f8437d346e9ac47c6e3c30db
-
SHA1
6185990c7684ff45314341d2e8755bb165533308
-
SHA256
a731201c494158fd9f3b137b67db02ad541ff8faff0f4b26d66d5234027abb60
-
SHA512
f19c3652089ae32df42e1b2a04a0b6c56054c03d2c7997e9a81f5eb7f645ee9d64036e70e654086519d1dc200ae126a7877e0033d9568ab408be440d95e90373
Static task
static1
Behavioral task
behavioral1
Sample
DOC09178236_20210922.exe
Resource
win7-en-20210920
Malware Config
Extracted
xloader
2.5
ohi3
http://www.cctassetmanagement.com/ohi3/
itaewonbrunchbar.com
spectrosam.com
vanita-bavaria.net
kovrikydoma.store
tilthespire.com
aichuanghuan.com
healingyourbodynaturally.com
1790thirdavenue.com
zollogistics.com
inden-shop.com
fmhra.online
blenbigs.com
ofedward.com
efootball2021-eventpesmob.com
sutas-tr.com
ampersandcraftsuk.com
roofingcompaniestampa247.com
whwkjmhy4f.com
gngifts.com
bellezamarket.store
ebusinessdesignsolutions.com
asianm.art
k88fujita6459.com
fangweima.net
wns12688.com
jbysxjy.com
poundtech.xyz
ehawkstech.com
gypxjn.space
arizonawireproducts.com
pearl-street-art.com
getgrantmoneygov.com
kristinaticklerealtor.com
hetland-development.com
searingsloxzb.xyz
stary-love.com
hablandoespanol.net
338700.com
tacobelliever.com
mediciborgaretto.com
greenworlder-holding.com
wenbaokang.com
paulanercanada.com
sonatapetiti.quest
13192glensidedrive.info
fivestardriving.school
045yu.xyz
bosbabetogel.com
estreetcars.com
crochetbycare.com
hubinternationalinnovation.com
jishangban.com
swooningheartsenterprises.com
scbcommunity.partners
maonagrana.com
servuscollection.com
tactical-gamers.com
droneinspectionpro.com
gazetnydom.com
scottturns30.com
vch.biz
shein.black
amlakcore.com
umldbe.xyz
Targets
-
-
Target
DOC09178236_20210922.exe
-
Size
734KB
-
MD5
38cb740b60d846d2a14a49021a10e164
-
SHA1
6d1b170fb830773cb750944938f2ada14499fd07
-
SHA256
d27692420e58cdd646e9a5bd19618387395ee4bc63d10bbe14fe3548e4546889
-
SHA512
4a4a8f86e7fe559771d401766b4df2f9e194f670222156330f150d72677b92b353d27d8ab43aadd0facae1babc3603bf78bb6e714be559cd9e56294384bbc1ce
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Deletes itself
-
Adds Run key to start application
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-