General
-
Target
RFQ - 1100195199 - 1100190914.exe
-
Size
373KB
-
Sample
211028-q3wa8agdgp
-
MD5
0f3e620da62e90910e5ba126f927e84e
-
SHA1
60c1802a48d31314b47894214f89be2b20a2dc60
-
SHA256
c5d5cc8f818f3f07bd35e0255b59873957e37336ef4af224879023ecebec2342
-
SHA512
9f426f52ad331b28505ec13efc2e3f15a0fc5ddbd3481a254d19424daf5839520131478b57bc266d06410bb4396bc5af18af5916b2b78c3916dcc45486505511
Static task
static1
Behavioral task
behavioral1
Sample
RFQ - 1100195199 - 1100190914.exe
Resource
win7-en-20210920
Malware Config
Extracted
xloader
2.5
nc26
http://www.tattooof.info/nc26/
orangecountydeathmarch.com
blissbeautyuk.com
inarticulables.xyz
go-sbs02.com
annonces-pointvirgulefrance.com
ygcdyf.com
loftischoice.com
obesidadfceron.com
jaijin.com
kreditnekarticehr.com
proactiveline.com
sousouhenansheng.com
lynxvms.com
doujiu.xyz
getur-pckg.info
tremas25.com
jiayuesport.com
divyana.website
n1zk.xyz
benaatlc.com
jadesrc.com
fztbusragumus.com
vietnamesewriter.com
rapibest.com
omexomnimesla.com
cyblfq.com
realviennesephoto.com
pra-accessibility.com
straightii.com
starpointeartsacademy.com
centurial.space
civicinfluencers.net
formecondominium.com
tb25431.icu
authenticationtd.net
inden-store.com
rjf-s.com
terraquers.com
st-dayang.com
boarding-schools-usa.com
greysoh.xyz
sinosigns.net
joshquotes.biz
ripbiden2024.com
agbadminton.com
tuktravel.com
shly1628.com
thehomereliefdigest.com
tanakaya-jp.com
heilins.com
tagheuersrilanka.com
100crane.com
lappajarvi-info.com
lemonpropertycare.com
lingogallery.com
jessencabinets.com
siteahan.com
mygeorgecolemanfordstory.com
boatiquewear.com
wwwsmyrnaschooldistrict.com
seeindark.com
finedecoration.net
marketstreetzanzi.com
finistere.today
Targets
-
-
Target
RFQ - 1100195199 - 1100190914.exe
-
Size
373KB
-
MD5
0f3e620da62e90910e5ba126f927e84e
-
SHA1
60c1802a48d31314b47894214f89be2b20a2dc60
-
SHA256
c5d5cc8f818f3f07bd35e0255b59873957e37336ef4af224879023ecebec2342
-
SHA512
9f426f52ad331b28505ec13efc2e3f15a0fc5ddbd3481a254d19424daf5839520131478b57bc266d06410bb4396bc5af18af5916b2b78c3916dcc45486505511
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-