General
-
Target
COURT-ORDER#S12GF803_zip.exe
-
Size
415KB
-
Sample
210924-w6mfdahefn
-
MD5
5595049f8983e6731ea2e87a96444375
-
SHA1
cb3be0eac5d0dc5fa65c8053642d9c93fe305e31
-
SHA256
8d8be917722d690ef358f41bb560c72285a73331b4cc1b975cc76dcaef68b912
-
SHA512
b48082267a437d191768d9b5a09fd2d3e1aba059809ed166382ddf2fed7039e517834eb1ebba425614b9e44dd94430e55e247e13824705277e6e7706349f76ab
Static task
static1
Behavioral task
behavioral1
Sample
COURT-ORDER#S12GF803_zip.exe
Resource
win7v20210408
Malware Config
Extracted
xloader
2.3
u86g
http://www.springgrowmeanairway.net/u86g/
4tnoxrox.com
ff130.com
grapevinecrisiscare.com
system91.com
blondedocfabprivacypolicy.com
amphorabeverageservices.com
cvacity.info
cbghemppills.com
iowaconcertofhope.com
theilerablog.com
bg1133.com
jenniferkristinphotography.com
wnj.xyz
khdoctor.com
mittelstandsgestaltung.com
mimikis.info
my-data.pro
nativesonlabs.com
thelincmagazine.com
dsfrederick.com
abtsy.com
pre-conference.com
nathalytannerlash.com
drinkmuak.com
kellyscompanions.com
joyarealestate.com
dreamlandhotelkasauli.com
startwithcb.com
equestrianeventcenter.com
dongzaoyuan.com
hitachi-lj.com
theparkshirts.com
lojafavaro.com
iycbahamas.com
mypeitnsurance.com
springharmonycream.net
fledglingmedia.com
gq111.net
impactusnetwork.com
food-and-mood.com
teaching-heroes.com
outdoorsoldier.com
zenithwebdesigns.com
smartguyleaders.com
drtinamims.com
thehappy-company.com
5diamondclub.com
semanticdatamodeling.com
victoryfinancialwealthtrust.com
mundoles.com
kuntul1.xyz
kenbrist.com
sugerdaddyraffles.com
bitcoinbunnies.com
eveyah.com
darumasblessing.com
memphisdotphysicalexams.com
bagpipesi.com
davestechden.com
henalive.com
validadus.com
phafterdark.com
chudovska.com
spamouflague.com
Targets
-
-
Target
COURT-ORDER#S12GF803_zip.exe
-
Size
415KB
-
MD5
5595049f8983e6731ea2e87a96444375
-
SHA1
cb3be0eac5d0dc5fa65c8053642d9c93fe305e31
-
SHA256
8d8be917722d690ef358f41bb560c72285a73331b4cc1b975cc76dcaef68b912
-
SHA512
b48082267a437d191768d9b5a09fd2d3e1aba059809ed166382ddf2fed7039e517834eb1ebba425614b9e44dd94430e55e247e13824705277e6e7706349f76ab
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-