General
-
Target
Inquiry Order.zip
-
Size
326KB
-
Sample
211007-eqjk4scafr
-
MD5
ffa8a5b2c9c01f863d6719cc75d958ea
-
SHA1
3adc3889741f9ce711d5fdd0a850a868c2dfebed
-
SHA256
cb14692eac3d5825fa466d731c8692b2ec6c1ea94e4c0ef515738844eeb91ec1
-
SHA512
6b720a9a751ae93e7ba777a27b735e7a855058dc5e99056291cdfe6b9956b93f200dd763df66eb2eba7a277a0a6701209ff2133555cebe6a1e394c1024cade2c
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry Order.exe
Resource
win7v20210408
Malware Config
Extracted
xloader
2.5
b5ce
http://www.rheilea.com/b5ce/
advellerd.xyz
giasuvina.com
arab-xt-pro.com
ahsltu2ua4.com
trasportesemmanuel.com
kissimmeesoccercup.com
studyengland.com
m2volleyballclub.com
shyuehuan.com
elsml.com
blog-x-history.top
coditeu.com
allattachments.net
vigautruc.com
mentication.com
zambiaedu.xyz
filadelfiacenter.com
avlaborsourceinc.info
tameka-stewart.com
studio-cleo.com
cruisebookingsonlineukweb.com
bajajfinservmutualfund.com
bipxtech.cloud
glottogon.com
villamante.com
lvfrm.xyz
bhadanamedia.digital
austindemolitioncontractor.com
nutritionhawks.com
vcmalihx.top
busybstickerco.com
lianshangtron.com
tenncreative.com
charmfulland.com
zuridesire.com
vliegenmetplezier.com
khlopok.club
tovardarom.xyz
atmospheraglobal.com
lakeefctmich.com
novasaude-g1.online
joymort.com
allexceptionalcapital.com
balicoffeeuniversal.com
netjyjin26.net
arpdomestic.com
ozglobetips.online
zeogg.club
josiemaran-supernatural.com
sieuthinhapkhau.store
healthonline.store
coiincrypt.com
fofija.com
yshowmedia.com
enhancedcr.com
tous-des-cons.club
holeinthewallbus.com
okssl.net
gutenstocks.com
thelindleyfamily.com
apexpropertiesltd.com
powerhousetepusa.com
urbanopportunities.com
comarch.tech
Targets
-
-
Target
Inquiry Order.exe
-
Size
382KB
-
MD5
a5b0ce8922a255ec0365017fa0cb8ba8
-
SHA1
911b6222cf8c51f69f70923b13e3bbad0e0699f7
-
SHA256
417269750915b1599cde84c6af73f00f5dbb8be287b1b03dc34887e8eab1105f
-
SHA512
73be6f42fe620c1c65ea35f2408055eceba0ff11347b4a3dc4f6f55161b06335a65d7dd922aa53174a49de0075159eef5bca7df50e8b46ff83ba4fdf6bd39300
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-