General
-
Target
Payment copy.zip
-
Size
359KB
-
Sample
211122-pxvbasfeam
-
MD5
3bffc541399e33c4321111874b2a45e4
-
SHA1
be0489a89fc53739c703c5a4779955c638f3f507
-
SHA256
3d4079a44479c6f2812965a212fac2ea588e5995cd754d1732125e3be99c2584
-
SHA512
a724dac559454cdeec5989fe3aaf3d0a4b7246e93a6e6544d07eaf644f6ff6d7b4122851519e905807abc6719561f84fcd84057957ac2681179d5d5e7b2f9cd2
Static task
static1
Behavioral task
behavioral1
Sample
Payment copy.exe
Resource
win7-en-20211104
Malware Config
Extracted
xloader
2.5
ea0r
http://www.asiapubz-hk.com/ea0r/
lionheartcreativestudios.com
konzertmanagement.com
blackpanther.online
broychim-int.com
takut18.com
txstarsolar.com
herdsherpa.com
igorshestakov.com
shinesbox.com
reflectpkljlt.xyz
oiltoolshub.com
viralmoneychallenge.com
changingalphastrategies.com
mecitiris.com
rdadmin.online
miniambiente.com
kominarcine.com
pino-almond.com
heihit.xyz
junqi888.com
metalumber.com
sclvfu.com
macanostore.online
projecturs.com
ahcprp.com
gztyfnrj.com
lospacenos.com
tak-etranger.com
dingermail.com
skiin.club
ystops.com
tnboxes.com
ccafgz.com
info1337.xyz
platinum24.top
hothess.com
novelfinancewhite.xyz
theselectdifference.com
flufca.com
giftcodefreefirevns.com
kgv-lachswehr.com
report-alfarabilabs.com
skeetones.com
4bcinc.com
americamr.com
wewonacademy.com
evrazavto.store
true-fanbox.com
greencofiji.com
threecommaspartners.com
hgtradingcoltd.com
xihe1919.com
241mk.com
helplockedout.com
wefundprojects.com
neosecure.store
purenewsworldwide.com
luckylottovip999.com
lottidobler.com
proyectohaciendohistoria.com
raintm.com
theproducerformula.com
trademarkitforyourself.com
ottaweed.com
Targets
-
-
Target
Payment copy.exe
-
Size
513KB
-
MD5
72057af1fd635831488188f01b91cff5
-
SHA1
369ca3dd85f77d46b20beb415f25ed5aba81858e
-
SHA256
105a4aaa48d95d20470f19e69f83066d09c1c0140ef5c2e13eab30afdc054668
-
SHA512
ca2b72e22cf05a893d4d7c4c6a5759415e153da8b2fb27bec3915e04ade8cc49bbcf18f9ec37209368921ce3e91a3a966025f5db8093a7fa4324b83796380df4
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-