General
-
Target
RFQ - 1100195199 - 1100190914.exe
-
Size
411KB
-
Sample
211028-pxxfnagdaj
-
MD5
19198e3a535c8420bbcdc28232039701
-
SHA1
8739d67ca895bc43ddb6d3fc7d44b9d9f1d0d9f9
-
SHA256
02f11a50849b59419b2695f563fc98576ca76f998ab73ef988aa4868cad6320b
-
SHA512
51b6a376040ef653853e5f3009a273cd0b2ba855951d90671bf7040eb36d76f2126fae8539ab92d3bf162008411c45ed71a8a9f2b913e57f412ae00a1fa2e63c
Static task
static1
Behavioral task
behavioral1
Sample
RFQ - 1100195199 - 1100190914.exe
Resource
win7-en-20211014
Malware Config
Extracted
xloader
2.5
nc26
http://www.tattooof.info/nc26/
orangecountydeathmarch.com
blissbeautyuk.com
inarticulables.xyz
go-sbs02.com
annonces-pointvirgulefrance.com
ygcdyf.com
loftischoice.com
obesidadfceron.com
jaijin.com
kreditnekarticehr.com
proactiveline.com
sousouhenansheng.com
lynxvms.com
doujiu.xyz
getur-pckg.info
tremas25.com
jiayuesport.com
divyana.website
n1zk.xyz
benaatlc.com
jadesrc.com
fztbusragumus.com
vietnamesewriter.com
rapibest.com
omexomnimesla.com
cyblfq.com
realviennesephoto.com
pra-accessibility.com
straightii.com
starpointeartsacademy.com
centurial.space
civicinfluencers.net
formecondominium.com
tb25431.icu
authenticationtd.net
inden-store.com
rjf-s.com
terraquers.com
st-dayang.com
boarding-schools-usa.com
greysoh.xyz
sinosigns.net
joshquotes.biz
ripbiden2024.com
agbadminton.com
tuktravel.com
shly1628.com
thehomereliefdigest.com
tanakaya-jp.com
heilins.com
tagheuersrilanka.com
100crane.com
lappajarvi-info.com
lemonpropertycare.com
lingogallery.com
jessencabinets.com
siteahan.com
mygeorgecolemanfordstory.com
boatiquewear.com
wwwsmyrnaschooldistrict.com
seeindark.com
finedecoration.net
marketstreetzanzi.com
finistere.today
Targets
-
-
Target
RFQ - 1100195199 - 1100190914.exe
-
Size
411KB
-
MD5
19198e3a535c8420bbcdc28232039701
-
SHA1
8739d67ca895bc43ddb6d3fc7d44b9d9f1d0d9f9
-
SHA256
02f11a50849b59419b2695f563fc98576ca76f998ab73ef988aa4868cad6320b
-
SHA512
51b6a376040ef653853e5f3009a273cd0b2ba855951d90671bf7040eb36d76f2126fae8539ab92d3bf162008411c45ed71a8a9f2b913e57f412ae00a1fa2e63c
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-