General
-
Target
0rder_pdf.exe
-
Size
749KB
-
Sample
211231-ea4aksged3
-
MD5
18fbd8319f9d3ab5011d52b026e0b9b0
-
SHA1
9e70d9ca4a54efd68888f739a6cb26c244391b98
-
SHA256
47c82ea8fa2149641ac9406672616f32285a9be86689d74edffd2a546816452b
-
SHA512
ea292bb2e764c5af7e04856f441ec1663bf58d8b3e5dbaeaae25dec1a774719ed76b4316dbe988190549635cc73c306e7e0b2c721f132802b2e990efef063c86
Static task
static1
Behavioral task
behavioral1
Sample
0rder_pdf.exe
Resource
win7-en-20211208
Malware Config
Extracted
xloader
2.5
mawd
zbgyjt.com
chosentops.com
referral.center
barakrubbertrading.com
yumekaijyuku21.com
justpita.net
floristeria7rosas1clavel.com
modularinnovationsolutions.com
halloweetee.com
transportesajusco.online
viciousprism.com
seaspiritkayaks.com
studiodannadesign.com
portraydashcam.com
lucyloeu.com
obujieitel.quest
boknowsautorepair.com
gqczj.com
beatniq-scasset.com
consultbeautyagency.com
ds3ian.com
sydneyshore.online
tpidesign.com
besuici.com
iroha.rest
ae774.com
itsvaruntyagi.com
waldorfastoriacondosforsale.com
michaeljbianco.com
bdsanyu.com
seelazy.club
jeffgarmanreviews.com
hastelcable.com
loginbt-webmail.com
min4tapanulitengah.com
codilrconsultores.com
cikgumakanan.store
christinejbrandt.com
moderndaymillennials.com
peluqueriasl.online
costacommerceshops.com
thetruthaboutme.info
theintelligentlove.com
mundojuridico.com
delhipathlab.com
vsley.com
bodybybetsy.com
8x3py.xyz
whaler1263.com
wenbaokang.com
cuffingseasonfilm.com
gebietinroep.quest
iqvisory.com
paypal-caseid194.com
onlinefpt.net
peuhinaus.quest
abcelisa.com
5cherries.com
kedqvry.com
yyyypj.com
497591.com
shsnywhs159.com
tw.company
spanish-maid-eezi.com
sempionhosting.com
Targets
-
-
Target
0rder_pdf.exe
-
Size
749KB
-
MD5
18fbd8319f9d3ab5011d52b026e0b9b0
-
SHA1
9e70d9ca4a54efd68888f739a6cb26c244391b98
-
SHA256
47c82ea8fa2149641ac9406672616f32285a9be86689d74edffd2a546816452b
-
SHA512
ea292bb2e764c5af7e04856f441ec1663bf58d8b3e5dbaeaae25dec1a774719ed76b4316dbe988190549635cc73c306e7e0b2c721f132802b2e990efef063c86
-
Xloader Payload
-
Executes dropped EXE
-
Deletes itself
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-