General
-
Target
Payment document.exe
-
Size
532KB
-
Sample
210927-e27gbaffej
-
MD5
d0cceb56aaec4f8d458498904813b790
-
SHA1
8efefaefb2a32c05c3282721be10c0b838c0cc96
-
SHA256
bb60b98852cad89fe450ec8486cee96bb6932b29c692f97d5b7ed7936556845f
-
SHA512
26137c91ab694b4bc21d06ed5f5f916c6884f7a7a94536a22948290c9cfa1cb1ac84ecd4f0893784eaab0eb6c674f05d6062b0dc6f61293935bb3eef53571de0
Static task
static1
Behavioral task
behavioral1
Sample
Payment document.exe
Resource
win7-en-20210920
Malware Config
Extracted
xloader
2.4
dbew
http://www.mengtai.xyz/dbew/
unblock-sites.xyz
xkmfiue.com
8pz96.com
affkart.com
attila-velte.com
hyrq30.website
tinoovia.com
egraintrade.com
smokynagata.com
welojz.xyz
lizethdavid.com
traumland56.com
player23games.com
mvnupersonaltraining.com
anonymousmen.com
learnchinese-school.com
haus-us.com
homayounmusic.com
kp-taku.com
djalleykat.com
cinaje.com
leohusdesign.com
johnstowntechsupport.com
epicaccesssolutions.biz
ny660.xyz
frtgfrfcfddffyvhhuhvfhujjfr.com
stopshopma.com
liylaehamarmaat3.xyz
1axlpkfm.icu
everbytecloud.com
tokitrip.com
popllp.com
29athurleighgrove.com
nakamotorecords.com
classiccityfringefestival.com
neovoguetriunfo.com
kishakpeace.com
tongsh.net
snaggy.site
justinamashcompany.com
blackdoorvermont.com
soukawaii.com
connector3.xyz
qlifescooter.com
instanewsinfo.com
zs-spring.com
hilist.xyz
ffpc.site
brightsunlatheworks.com
goosengakhaw.com
rowadconstruct.com
octanesyndicate.com
taxisperu.com
noweyessee.com
thooklivestock.com
treiding-oficial.site
southbanktempe.com
mo2.asia
tastetheduniya.com
santinoguera.com
deerfieldbeachmedicare.com
lifeslemon.com
shanghaiinvestments.com
driveretaildirect.com
Targets
-
-
Target
Payment document.exe
-
Size
532KB
-
MD5
d0cceb56aaec4f8d458498904813b790
-
SHA1
8efefaefb2a32c05c3282721be10c0b838c0cc96
-
SHA256
bb60b98852cad89fe450ec8486cee96bb6932b29c692f97d5b7ed7936556845f
-
SHA512
26137c91ab694b4bc21d06ed5f5f916c6884f7a7a94536a22948290c9cfa1cb1ac84ecd4f0893784eaab0eb6c674f05d6062b0dc6f61293935bb3eef53571de0
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Deletes itself
-
Suspicious use of SetThreadContext
-