General
-
Target
truck pictures.exe
-
Size
634KB
-
Sample
210927-h3flrsfhdl
-
MD5
99ed5f72e5742e549a6ec78655fd3cfc
-
SHA1
31a4f6fc81c45e49f4787cebe622256fa74d8a06
-
SHA256
5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8
-
SHA512
45abc2973402ba0ae81b4e708c257c9e8f5fe472b1fdf969766697a5226481764b0bf8d9be8dd99effd47e7556ed0110b48b892c315d850b952ed700ac2f9711
Static task
static1
Behavioral task
behavioral1
Sample
truck pictures.exe
Resource
win7-en-20210920
Malware Config
Extracted
xloader
2.5
cuig
http://www.qtih.top/cuig/
sofiathinks-elderly.net
lahamicoast.info
2shengman.com
cbsautoplex.com
arcana-candles.com
genrage.com
kukumiou.xyz
thequizerking.com
sonataproductions.com
rebuildgomnmf.xyz
ubcoin.store
yiyouxue.net
firstlifehome.com
mdx-inc.net
gotbn-c01.com
dinobrindes.store
jcm-iso.com
cliente-mais.com
mloujewelry.com
correoversoi.quest
rc-rental-housing.com
swisstrustcitybank.com
traderjoes-corp.com
mandolinmeditations.com
kathcorp.com
mcdonaldsfastdel.xyz
nielsqanalytics.com
bansity.com
mimosymas.com
atp-cayenne.com
sinterekes.com
nnxsk.com
shushigallery.tech
thgn41.xyz
resporn.tech
growingki.com
themyopiatoolbox.com
angeleyesevents.com
reddishgomjtd.xyz
amazonretailbrickandmotar.net
jewelrybyjma.com
ctroutdoors.pro
357961.com
theakfam.business
skincarefamily.com
xptoempeendimentos.com
tapestrirewards.com
viridilodge.com
bostondowntownrealestate.com
disrepairclaimsuk.com
makaroff.net
thedoublezbar.com
barbicidemalaysia.com
sliv-a.online
showgeini.com
martialartsreigns.online
metamode.space
ch95516.ink
halvorson-pickup.com
mizuno-trouble.net
46dgj.xyz
esylf4vt.xyz
chopaap.com
igorleonardo.com
Targets
-
-
Target
truck pictures.exe
-
Size
634KB
-
MD5
99ed5f72e5742e549a6ec78655fd3cfc
-
SHA1
31a4f6fc81c45e49f4787cebe622256fa74d8a06
-
SHA256
5c8f31380d956958134331ea55e63835fd16ca1f02f4c81672b69db70bc97ab8
-
SHA512
45abc2973402ba0ae81b4e708c257c9e8f5fe472b1fdf969766697a5226481764b0bf8d9be8dd99effd47e7556ed0110b48b892c315d850b952ed700ac2f9711
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-