General
-
Target
RFQ65387,pdf.iso
-
Size
422KB
-
Sample
210927-bav3esfdcl
-
MD5
96702f468ffacbfe0149b23ad46deb44
-
SHA1
177c2f7adceba614024dbae53618db18cef943a0
-
SHA256
95a278aa609c78dd38f16e531e878d0c30ed0e9dac153eaf1428c5dfb4209cc1
-
SHA512
bd0fee92ceacd990739a8105c0eac9584f874b0b15179858cb5a152efd0cd1d722db8cf83a4eee1b989da2ccd55804af70878ecd8d6df8b0e19b91b33b9fd2e0
Static task
static1
Behavioral task
behavioral1
Sample
RFQ65387,pdf.exe
Resource
win7-en-20210920
Malware Config
Extracted
xloader
2.5
eqza
http://www.262266.store/eqza/
portcities.website
intuiters.com
jpworld1.com
5riversmgnt.com
sub-cold.xyz
atrven.club
joysfamilypressurewashing.com
thrivingafter30nation.com
yaoguankeji.online
homesbythomasadams.com
signalist.xyz
rastipponmkh.com
5o8realty.com
gantongxunlian.ltd
ticvideo.com
renemutt.com
eden-order.com
trevaleaf.com
vatikanlottery.com
zzswfp.com
mebel-pf.store
gabtechglobalacademy.com
sofitel-foshan.com
localvirgingirl.xyz
cashforhuntsvillehomes.com
ledytj.com
floetic.design
eveninggatherings.com
amilawda.com
staybyvalediaz.com
institutfrancais-ifac.com
suddennnnnnnnnnnn20.xyz
perfectempbiz.com
nichesblogs.com
seminoleworm.com
dusa.codes
meetings-expo.com
fuwanming10.com
jessicanutrition.com
speedprosmotorsports.com
diearchitekt.net
httpxhydh233.xyz
petit-clasquin.com
getsimplehabit.com
loveintegritytrust.com
righttriviaemail.com
a2detail.com
xn--oprationmyopie-aix-cwb.com
chalet-in-the-alps.com
neracobel.com
bakc.xyz
v8dmjy4ct.com
freedomtourbus.com
nefesh.pro
blandtigersyouthbasketball.com
objectsapi.com
sxlaochencu.com
efootballpro2022.net
privateproxyguides.com
itgrlglo.com
placerauctions.com
barbaraksmith.store
themintedhotels.com
wwwripostes.net
Targets
-
-
Target
RFQ65387,pdf.exe
-
Size
360KB
-
MD5
9c4328f837278a309e1542f10141b175
-
SHA1
042c426526fdf26bcbe7cb1a404f41e9db6d95c3
-
SHA256
f2510c206c2e43f92163e4f10d43fefa38522cdf17ba22b228e2178523dbf2d4
-
SHA512
ad581fae46d1a517404e58f1234f684fdac4422a0264f140d8723c95c7fe4c36d5943799edda2d6d2e73b2b702077ef6f8b7910204d52d2d65e34ef90f7ad223
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-