General
-
Target
bilxc.exe
-
Size
885KB
-
Sample
211230-xpngsaeffq
-
MD5
009e20fd6242bc65bc299488cd30beaa
-
SHA1
30650c50a819ff7d0cbd9a87ee8c0295e3250cb9
-
SHA256
e8e0692d9699693305d9f7f7a1c75dec2c2c98c6bfa5ef71306accc7eeeb0fce
-
SHA512
de3c9ca53935123da61af7ee4480213822005e9a72105b8caba0f1c7f6a4cc460d0b3126bc949ab4d68df20a4dd0f11652b303423a8edd2d46ce3128c0b62ae2
Static task
static1
Behavioral task
behavioral1
Sample
bilxc.exe
Resource
win7-en-20211208
Malware Config
Extracted
formbook
4.1
a1m3
lincolncountynvjail.com
yesicaccolqque.com
thealleybeat.com
qbaobaoky.com
bebebeton.com
makerrushcoolbuster.com
6prwhs.xyz
petfestivalistanbul.xyz
e5t4hs.host
numinerinternational.com
azino777-bonus1000-rub3.site
siteoficial-comprassegura.com
1xx2.xyz
italianaware.com
parkitsmart.net
horns365.com
parabyteinfotech.com
cryptotrumper.com
wu7f46pislmb.xyz
holibol.icu
invest2burundi.com
mme.top
arizonatrustedagent.com
realize-used.com
junkcarwiz.com
congocdongy.info
wensupsychology.com
dynastyincattorneys.com
logistonaut.com
returntowebshop.com
lucentfit.com
glasshouse-venues.com
jdbproject.com
themarketmex.com
hoardinghippo.com
aquintessential.com
crditpassport.com
puciamie.com
wepkor.online
chuyengiathanhlocda.com
fst-clinic-2.com
y7uyhm.xyz
shoprealestateceo.com
sententiaganification.com
harlemnfthotel.com
avenue16designs.com
ivycareconcierge.com
cqnnection.net
blackwallstreetpalmbeach.com
durubksa.com
bestoutcallmassage.com
xk8c0t1kh668.xyz
virgo.services
terrence888.com
jkscotttalent.com
metaversesaks.com
magazineimporte.com
qualitytimessquare.com
whapty035.xyz
zoominvite.net
jpinfra-mumbai.com
possomholler.com
freepremiumtextures.com
wghakt003.xyz
newenglandluxury.com
Targets
-
-
Target
bilxc.exe
-
Size
885KB
-
MD5
009e20fd6242bc65bc299488cd30beaa
-
SHA1
30650c50a819ff7d0cbd9a87ee8c0295e3250cb9
-
SHA256
e8e0692d9699693305d9f7f7a1c75dec2c2c98c6bfa5ef71306accc7eeeb0fce
-
SHA512
de3c9ca53935123da61af7ee4480213822005e9a72105b8caba0f1c7f6a4cc460d0b3126bc949ab4d68df20a4dd0f11652b303423a8edd2d46ce3128c0b62ae2
-
Formbook Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-