General
-
Target
swift_copy_MT103_pdf.exe
-
Size
501KB
-
Sample
210927-dltpvafedm
-
MD5
1c620763897a2166e17aab168bcf0d09
-
SHA1
5d3d29ab6ec3f5e4d80f188d15a97002347ea6de
-
SHA256
98cd8d900722c5903311d5c8e6a64333fa8bcda553cef3c872ba54a74c6ee47e
-
SHA512
a631295724d1896dba791db58d2d370bf1330ab57f328253294025f5695da05b7c3ec94192e48421a0c7d19899d9e3bed5aa96f61564d6183fb6857e4bf61077
Static task
static1
Behavioral task
behavioral1
Sample
swift_copy_MT103_pdf.exe
Resource
win7-en-20210920
Malware Config
Extracted
xloader
2.3
conv
http://www.7stepsmeal.com/conv/
hydrusgraphene.com
eastwindshomes.com
f1-holding.com
tomrings.com
nickysclosetnest.com
eckare88.com
southboundsupplies.com
asilar.net
ludiali.com
sarahasmussen.com
terreetmerphotography.com
tesserlink.com
xayxcq.com
jobforage.com
76leads.com
onyamarx.com
sandrinafloral.com
a5y7tvmr4.xyz
greatdanesuk.com
superbartendergigs.store
boca-azul.com
bullishsoftware.com
sarahsvirtualofficeteam.com
marketplacestuff.com
simphonya.com
jndzqp.com
testpcrcovid.com
iebcde.com
lfcaihua.com
calvalleysales.com
dunlapandmagee.com
carteddy.com
thelodgepotenza.com
ghoomakadh.com
electrifyitall.com
differentfm.com
ossengeconsulting.com
unisoftwaremarket.com
anhtens.com
anshangbao.com
aerie.sucks
iiotech.xyz
dawnbreakers-guild.com
operatechno.com
palacedepleasure.com
ronaldcraig.com
bangtou123.com
buildtocure.net
portaldoctortv.com
netblocks.exposed
vaiga.pro
serenitypieces.com
redefineyourwork.com
8961599.com
2meducate.com
metalandtubeimpex.com
reviewpayee.com
shopsmallbus.com
shinelogisticsllc.com
silverspiralshop.com
een.xyz
yixinliu.com
recyclewahine.com
gilltales.com
Targets
-
-
Target
swift_copy_MT103_pdf.exe
-
Size
501KB
-
MD5
1c620763897a2166e17aab168bcf0d09
-
SHA1
5d3d29ab6ec3f5e4d80f188d15a97002347ea6de
-
SHA256
98cd8d900722c5903311d5c8e6a64333fa8bcda553cef3c872ba54a74c6ee47e
-
SHA512
a631295724d1896dba791db58d2d370bf1330ab57f328253294025f5695da05b7c3ec94192e48421a0c7d19899d9e3bed5aa96f61564d6183fb6857e4bf61077
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-