General
-
Target
6269888674037760.zip
-
Size
485KB
-
Sample
211122-1jsq4aghcl
-
MD5
4377372b4e746d9f513395a34ebd8c5a
-
SHA1
a21851548c27449a4d78e2b8b632df83ad09f3f5
-
SHA256
cd11ff6fd92ca115b19fec46fbb9d1ef8540bc1e2ffc21ffcb46ef1f22482e0c
-
SHA512
32d92c48c9c5f90befb043e4139f657799e6bc3e26d0560a52b9ab0402db3e8d6de1875273868174c56e084e358f8f66f41e99a820eb03b21f5f4ea217daac6e
Static task
static1
Behavioral task
behavioral1
Sample
PO NOVEMBER 2021 22 PDF.exe
Resource
win7-en-20211104
Malware Config
Extracted
xloader
2.5
re6p
http://www.workwithmarym.com/re6p/
jedidpress.com
firstimpression.global
iflycny.com
greenandskin.com
tt9577.com
sumidocpa.com
readsprouts.com
heavenlyhighcreations.com
jlhvz.com
ita-web.com
graeds.com
soundtolight.xyz
rajtantra.net
wearinganawesomewoman.store
hrappur.net
wangmiaojf.xyz
youtogo.xyz
mydeadzone.com
qenagypsum.com
kopijhony.com
slingerlandus.com
zafiroxzafiro.com
comzhub.com
gamecroptop.com
onehealth.website
atthoma.com
juku-sup.com
byshelly.biz
hxcc15.com
massagesalondeventer.com
black-sea-coast.com
houstonpavingpros.com
sunglungmiu.online
theincorrectos.com
khomayphotocopy.online
singleseventplanner.com
adicv.com
situsbaccaratterpercaya.com
h2oarquitectura.online
sdzshbkj.com
villagessocialcards.com
dinerboard.com
testhgdedstage13921.com
bugs98.com
338sto.com
3ks8.com
hadiahbet.com
fastbest.host
mainsufittness.com
heartsideforever.com
baraamco.com
greenperiopc.com
banquanku.info
tenlog050.xyz
albertojoserodriguez.com
hubnhost.com
corruptslofnq.xyz
interstate-ts.com
isabellaealexsuel.com
angela-gracephotography.com
moneythankyoupage.com
anwitstore.com
spanglerland.com
realexchangefx.com
Targets
-
-
Target
PO NOVEMBER 2021 22 PDF.exe
-
Size
1012KB
-
MD5
96423701a8a3e23e41a7e6d6542f2dc6
-
SHA1
6116c35ff15742f9373ec512e474331e2b1eeffe
-
SHA256
015174d2840ba0ff84b09efa54379b87fdb761a306d55ec707353f162b8ba39a
-
SHA512
cc0e48830c2c0d503ac37e8b6000eb4c8060c25a86abe72e1122b5bd2645f7855be267ec5ffcc28166389200228275a0d4ca13d38a1f1d08a95740a8c1987509
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Deletes itself
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext
-