General
-
Target
QUOTATION.zip
-
Size
529KB
-
Sample
211002-dnphxadfcl
-
MD5
4d5c80683644ca9360de7a279aa678fe
-
SHA1
eedc3df9ffb95c86a2316fe3e8417b52164ba45e
-
SHA256
d615091d01a9b770caa28a2b453b3ba57d3e0c42bb8fc5b38ceb64742ee46550
-
SHA512
b4433401822a406e9b064c7f8f4e521520503cbf8b83e71341846d10e7344a78cff9360a1f3a772b2e5b7811ffd6aa45094269669d4c967b1f216df4c547e106
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATION.exe
Resource
win7v20210408
Malware Config
Extracted
xloader
2.5
c2ue
http://www.heidevelop.xyz/c2ue/
isportdata.com
stellarex.energy
hsucollections.com
menuhaisan.com
joe-tzu.com
lumichargemktg.com
uae.tires
rapidcae.com
softwaresystemsolutions.com
s-galaxy.website
daewon-talks.net
northgamesnetwork.com
catalogue-bouyguestele.com
criativanet.com
theseasonalshift.com
actionfoto.online
openmaildoe.com
trashpenguin.com
ennopure.net
azurermine.com
wingkingtong.com
innovativepropsolutions.com
transportesajusco.online
rosenblasts.info
ttsports.store
servpix.com
liveatthebiltmore.com
magentautil.com
aquolly.com
collabsales.com
bredaslo.com
suddisaddu.com
www920011a.com
uudh.info
bleuexpress.com
xivuko.com
upstatehvacpros.com
acami.art
thqahql.com
mauzabe.com
mydrones.net
franciseshun.com
nrrpri.com
adndpanel.xyz
straightcorndinner.xyz
locngrip.com
wgylab.xyz
greenmamba100.com
dmglobalconsult.net
alissanoume.xyz
thecallresources.com
spacesuperslot.com
goodiste.com
mensaheating.xyz
blackbait6.com
keepkalmm.com
kodyhughesracing.com
semantikgis.com
saffoldstrucking.com
ingb.online
popcert.com
tpsynergylab.com
acnefreerx.com
why1314.xyz
Targets
-
-
Target
QUOTATION.exe
-
Size
1.1MB
-
MD5
4ce1ff3c9b5b16f57513e1c54ee4e96d
-
SHA1
d024009dbb744ae61815eeb9e0519948b063e059
-
SHA256
bdf00456287e3b458420249732255abf583ab0d6b5eb263f45d6ff329abdde93
-
SHA512
f03fa30e8081cbd11d13475641e4bfad6bd0147c670b764346f8c3255fae9992e8d8c82cabc4ce57a58732de1d4ef8a6220a2b71bb6f1ba9d82fb042c23ae619
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-