General
-
Target
PO-NOV20211115.exe
-
Size
4.6MB
-
Sample
211115-qx3hcafdhn
-
MD5
a4830938aeb704c9b11b2261efdef1fc
-
SHA1
645111b29a544379ee7c15b44ec11fef103158f3
-
SHA256
776a5c20a347e729fd9fa02388673f3769a4a5aa7d4e44f579c581c9a928e097
-
SHA512
9c96dd62907d292e45ceb8ccb98af6625d6e97b47ffd46662e3fcf7055a3565ac181a78c748c451a2c295659bad0fda03b19be6f0fcaf9d522003c2b8b5ad324
Static task
static1
Behavioral task
behavioral1
Sample
PO-NOV20211115.exe
Resource
win7-en-20211104
Malware Config
Extracted
xloader
2.5
re6p
http://www.workwithmarym.com/re6p/
jedidpress.com
firstimpression.global
iflycny.com
greenandskin.com
tt9577.com
sumidocpa.com
readsprouts.com
heavenlyhighcreations.com
jlhvz.com
ita-web.com
graeds.com
soundtolight.xyz
rajtantra.net
wearinganawesomewoman.store
hrappur.net
wangmiaojf.xyz
youtogo.xyz
mydeadzone.com
qenagypsum.com
kopijhony.com
slingerlandus.com
zafiroxzafiro.com
comzhub.com
gamecroptop.com
onehealth.website
atthoma.com
juku-sup.com
byshelly.biz
hxcc15.com
massagesalondeventer.com
black-sea-coast.com
houstonpavingpros.com
sunglungmiu.online
theincorrectos.com
khomayphotocopy.online
singleseventplanner.com
adicv.com
situsbaccaratterpercaya.com
h2oarquitectura.online
sdzshbkj.com
villagessocialcards.com
dinerboard.com
testhgdedstage13921.com
bugs98.com
338sto.com
3ks8.com
hadiahbet.com
fastbest.host
mainsufittness.com
heartsideforever.com
baraamco.com
greenperiopc.com
banquanku.info
tenlog050.xyz
albertojoserodriguez.com
hubnhost.com
corruptslofnq.xyz
interstate-ts.com
isabellaealexsuel.com
angela-gracephotography.com
moneythankyoupage.com
anwitstore.com
spanglerland.com
realexchangefx.com
Targets
-
-
Target
PO-NOV20211115.exe
-
Size
4.6MB
-
MD5
a4830938aeb704c9b11b2261efdef1fc
-
SHA1
645111b29a544379ee7c15b44ec11fef103158f3
-
SHA256
776a5c20a347e729fd9fa02388673f3769a4a5aa7d4e44f579c581c9a928e097
-
SHA512
9c96dd62907d292e45ceb8ccb98af6625d6e97b47ffd46662e3fcf7055a3565ac181a78c748c451a2c295659bad0fda03b19be6f0fcaf9d522003c2b8b5ad324
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext
-