General
-
Target
PO-TFL39043.iso
-
Size
406KB
-
Sample
211025-scqzxshbfr
-
MD5
4c49eee470ce69a4a38d14e2022fc87f
-
SHA1
77bab2c72a03a3b9a45b1778bb6ef796dbbaae02
-
SHA256
d33a2ebb9433efe141931ba40d9395a7039d476111e99f557f139052cb5ef612
-
SHA512
d786948a2b8e26ee747c7b2be27626169c251660da2607d3c3cfe5ca8c3e83f4199cb535f34d0eb9a1fe2c21ba771146f799b096cf8628e4fc9d6710f76b195c
Static task
static1
Behavioral task
behavioral1
Sample
PO-TFL39043.exe
Resource
win7-en-20211014
Malware Config
Extracted
xloader
2.5
p208
http://www.thaoduochuyetap.online/p208/
thegaleriaon17.com
daughtersweekend.com
decisionmatrixtool.com
hollandmedia.services
yishengkeji.xyz
tiffanyszerszen.com
facetofacemodels.xyz
interiorsfurnituredubai.com
8p9s8yiotjqkw4wd.com
immobillienpate.com
annmariegrindart.com
hesenna.com
codechunx.com
vollabi.com
leishasart.com
marschaleine.com
rootpresidential.xyz
sharingtechnology.net
smartlifetokens.net
mylocalshit.com
miho-trial.com
cashndashfinancial.com
wifiradar52.online
rentalmanagmentpros.com
nehircell.com
stloeh.com
maverick-mentoring.com
terravillaliberia.com
suddennnnnnnnnnnn12.xyz
locate-fmi-id.online
recupcolis.com
greaterways.net
josephgoddard.com
ibasho.group
shopnaturesthrone.com
lingmao08.com
villagecrossingapartments.com
prestigemarbleimports.com
reflectsocial.com
bra866.com
nazrnd.com
videomaingoc.xyz
kidzgovroom.com
hybridinverter.com
crypinvesto.space
uptownholding.com
billyflow.com
nutricionlimpia.online
lo-nen.com
referralinstituteatlanta.com
wargasarawak.com
rachelsalonist.com
vindyxx.club
akinngroup.com
ttportalbham3.com
mktthucchien.com
tcta.top
tradeaialgo.online
cekenlerticaret.com
29w522cerny.info
txbianmin.com
tamaplaza-whitening.com
kczu.net
doyyindh.xyz
Targets
-
-
Target
PO-TFL39043.exe
-
Size
344KB
-
MD5
f9ca5c26a7b036d6ed12428e9415e57a
-
SHA1
9f2a5bb76a351b8bedbd29125283631346117115
-
SHA256
301c57782851a93d5b229fc921d1953a9c650131f6a3dfad1176705e5a99fb38
-
SHA512
0691723bd263abcd628ee579ee96f7238e823a46f8c08004e0670f3179480cfd16bd508da72b0d37889f54b5deea2b54ec86e53627b06355e08b043173b24821
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-