General
-
Target
KBH_2392649118.js
-
Size
409KB
-
Sample
211208-s8r7vshean
-
MD5
d86b377c11dad8347e57ad5895a7b74a
-
SHA1
62168670328101bd5895691a16dd78edb2e6bce2
-
SHA256
e3e76daa108c493acc48e62810e4852f576d45793bee52facf3eb5c32c661ad5
-
SHA512
cc94c484e40b04a7955c652b6276adb931c2ef5d290b69fc95aa800ea21900b971647d5e6134ab23ddb19fbce4b026a5d03c5ed0247f2421723d5b29d7ddb9f2
Static task
static1
Behavioral task
behavioral1
Sample
KBH_2392649118.js
Resource
win7-en-20211208
Malware Config
Extracted
xloader
2.5
pzi0
http://www.buffstaff.com/pzi0/
laylmodest.com
woruke.club
metaverseslots.net
syscogent.net
aluxxenterprise.com
lm-solar.com
lightempirestore.com
witcheboutique.com
hometech-bosch.xyz
expert-netcad.com
poteconomist.com
mycousinsfriend.biz
shineveranda.com
collegedictionary.cloud
zqlidexx.com
businessesopportunity.com
2utalahs4.com
participatetn.info
dare2ownit.com
varser.com
gxo.digital
networkroftrl.xyz
renturways.com
theprooff.com
ncgf06.xyz
lighterior2.com
one-seo.xyz
benzprod.xyz
k6tkuwrnjake.biz
robinlynnolson.com
ioptest.com
modern-elementz.com
baetsupreme.net
lapetiteagencequimonte.com
xn--bellemre-60a.com
bringthegalaxy.com
shopnobra.com
maroondragon.com
pandemictickets.com
intelligentrereturns.net
quietshop.art
anarkalidress.com
wasserstoff-station.net
filmweltruhr.com
buck100.com
maxicashprommu.xyz
studiosilhouettes.com
lightningridgetradingpost.com
zhuanzhuan9987.top
mlelement.com
krystalsescapetravels.com
simplyabcbooks.com
greenhouse1995systems.com
altogetheradhd.com
servicedogumentary.com
cdcawpx.com
motometics.com
palisadesattahoe.com
paradgmpharma.com
microexpertise.com
venkycouture.online
maculardegenerationtsusanet.com
atlasbrandwear.com
karegcc.com
Targets
-
-
Target
KBH_2392649118.js
-
Size
409KB
-
MD5
d86b377c11dad8347e57ad5895a7b74a
-
SHA1
62168670328101bd5895691a16dd78edb2e6bce2
-
SHA256
e3e76daa108c493acc48e62810e4852f576d45793bee52facf3eb5c32c661ad5
-
SHA512
cc94c484e40b04a7955c652b6276adb931c2ef5d290b69fc95aa800ea21900b971647d5e6134ab23ddb19fbce4b026a5d03c5ed0247f2421723d5b29d7ddb9f2
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-