General
-
Target
PO.10032021.zip
-
Size
335KB
-
Sample
211004-s1xglsgeg9
-
MD5
b236cb23e21d653da24854a78621a734
-
SHA1
fce0cd7d773f173ebfc583318f29714c7e0b072a
-
SHA256
591d5e87b26cd03ea5de4713869cc4c492f8c53c0fac150ebdb41eedf3ab9a3a
-
SHA512
72d00e1bae8f05c84e813f53219f22b78fac0170f4fcff96ad53ec5049ca848aaeb54f491a9d5f6672ae91c3909a86882fb7f31bff6948aa236ae1b1d5a8f72b
Static task
static1
Behavioral task
behavioral1
Sample
PO.10032021.exe
Resource
win7-en-20210920
Malware Config
Extracted
xloader
2.5
pvxz
http://www.finetipster.com/pvxz/
imt-token.club
abravewayocen.online
shcloudcar.com
mshoppingworld.online
ncgf08.xyz
stuinfo.xyz
wesavetheplanetofficial.com
tourbox.xyz
believeinyourselftraining.com
jsboyat.com
aaeconomy.info
9etmorea.info
purosepeti7.com
goticketly.com
pinkmemorypt.com
mylifewellnesscentre.com
iridina.online
petrestore.online
neema.xyz
novelfooditalia.com
enterprisedaas.computer
tzkaxh.com
brainfarter.com
youniquegal.com
piiqrio.com
mdaszb.com
boldmale.com
era636.com
castleinsuranceco.com
woodennickelmusicfortwayne.com
customer-servis-kredivo.com
high-clicks.com
greetwithgadgets.com
hfsd1.com
insureagainstearthquakes.net
ultimatejump.rest
parivartanyogeshstore.com
handmanagementblog.com
meishangtianhua.com
michaelscottinsurance.net
kershoes.com
atomiccharmworks.com
conciergecompare.com
zeal-hashima.com
coachianscott.com
hwkm.net
019skz.xyz
jardingenesis.com
sumikkoremon.com
tjpengyun.com
sectionpor.xyz
46t.xyz
sa-pontianak.com
localproperty.team
dotexposed.com
cis136-tgarza.com
eiestilo.com
youknowhowtolive.com
phalcosnusa.com
qaticv93iy.com
hbjngs.com
ocean-nettoyage.com
jenuwinclothes.net
anadoluatvoffroad.com
Targets
-
-
Target
PO.10032021.exe
-
Size
830KB
-
MD5
4ba87f01d518f5b660cc487d488dbf3b
-
SHA1
48ac926df1e641b32935f095523140701d5013c6
-
SHA256
fbaf103427e20432a3dcf19733b5f447bb6f0b2e5c700c76df55c2d977d080ae
-
SHA512
8621c3a2cbb7632a47d1b566e80eae51ad91e037fc49c715d1dc255ced2715791e3b4069d83cb3d6c856e4257674f1775dfb0e48bbd844862b9d7ea59f702547
-
Xloader Payload
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-