General
-
Target
t1.msi
-
Size
124KB
-
Sample
211019-r7wyzsghfm
-
MD5
5262da4295e8a62d58d17991b35bf860
-
SHA1
3fba37528f6b06d2c89c7d86ce6352df438f1855
-
SHA256
058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf
-
SHA512
8a82d10997e8b64ab12688e6cb909e405644bfcf2ed0e47df9c16009bf1ae415c17bc5a0cc27717d34f6f5484ca27fe026893b4637ea01cb1209dd0427574c18
Static task
static1
Behavioral task
behavioral1
Sample
t1.msi
Resource
win7-en-20210920
Malware Config
Extracted
xloader
2.5
fs3g
http://www.indigenousjobsearch.com/fs3g/
juliorodriguez.info
koglifestylegym.com
matrixrecruits.com
tes5ci.com
firlefanz.digital
funkyladybug.com
susneh.com
polistanok.space
theindiahub.com
bigmargintennis.com
ti-talk.com
onejmj.com
ff4ca2623.xyz
mtzion-tn.com
yidiaodiaosu.com
dadsgaragedoor.com
rigs-4u.com
jiaoyimaojiyu2.xyz
evcay.com
appmxt.com
xn--bin-2k4mp34c09iwiz.com
levelupelectricianservice.com
onlinemailhelp.xyz
beftera.com
betterwithchocolate.net
theezteeshirtdisplay.com
rehrigconsulting.com
youbelievethati.space
zounabx.xyz
encriptado.xyz
tabuce.com
supzstufz.com
dentureslenexa.com
coveragepenguin.com
merakii.art
gbi.direct
trainapparel.store
buildajourney.com
leetina.com
wethinkera.com
flurrysoccer.com
secure-bt-verification.com
sousoudianjia.com
holyleads.net
elifina.xyz
armilchuck.com
theherbalpot.com
itemexchange.xyz
saelomo.xyz
bostonhome.services
checkdtv.com
gotrackqueue.com
therecycledsailcompany.com
yamaltkwxz.top
modern-menswear.com
lennoxalexandar.com
phd-businessplan.com
josie-supernatural.com
lad.network
yangguowei.store
1524019.win
southflordiahomes.com
nohara-screw.com
royalcaveinc.com
Targets
-
-
Target
t1.msi
-
Size
124KB
-
MD5
5262da4295e8a62d58d17991b35bf860
-
SHA1
3fba37528f6b06d2c89c7d86ce6352df438f1855
-
SHA256
058ee0434baf472713da384ee3ba273f64995b9c7f83b7e62a8b3285b334b2cf
-
SHA512
8a82d10997e8b64ab12688e6cb909e405644bfcf2ed0e47df9c16009bf1ae415c17bc5a0cc27717d34f6f5484ca27fe026893b4637ea01cb1209dd0427574c18
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Executes dropped EXE
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-