General
-
Target
Request for Quotation.exe
-
Size
556KB
-
Sample
220126-dn17psecaq
-
MD5
cfe607172762768ef0d28bd9d46459bd
-
SHA1
09c2fcae04979ac5eaa9a30efef0e59aa5bf034d
-
SHA256
08d17b9c0d3ab4eb79a38b0a500655f9f47bc3468718ae5b61d59d0b2b687e53
-
SHA512
f3931157cffc40e4aa783261cbbf59fe1698c637c2460dd98828eb0902e66dd006d3aa0e15a9cf17dd1a0396598842c970080ebf7b809813312fc0acdc229714
Static task
static1
Behavioral task
behavioral1
Sample
Request for Quotation.exe
Resource
win7-en-20211208
Malware Config
Extracted
xloader
2.5
b80i
yixuan5.com
jiazheng369.com
danielleefelipe.net
micorgas.com
uvywah.com
nbjcgl.com
streets4suites.com
hempgotas.com
postmoon.xyz
gaboshoes.com
pastodwes.com
libes.asia
damusalama.com
youngliving1.com
mollyagee.com
branchwallet.com
seebuehnegoerlitz.com
inventors.community
teentykarm.quest
927291.com
wohn-union.info
rvmservices.com
cuanquotex.online
buysubarus.com
360e.group
markham.condos
carriewilliamsinc.com
ennitec.com
wildberryhair.com
trulyrun.com
pinkandgrey.info
mnselfservice.com
gabtomenice.com
2thpolis.com
standardcrypro.com
58lif.com
ir-hasnol.com
ggsega.xyz
tipslowclever.rest
atlasgrpltdgh.com
4338agnes.com
hillsncreeks.com
pentest.ink
cevichiles.com
evodoge.com
gooooooo.xyz
ehaszthecarpetbagger.com
finanes.xyz
zoharfine.com
viperiastudios.com
sjljtzsls.com
frentags.art
mediafyagency.com
faydergayremezdayener.net
freelance-rse.com
quickmovecourierservices.com
lexingtonprochoice.com
farmacymerchants.com
inkland-tattoo.com
aloebiotics.com
rampi6.com
bookinggroningen.com
wilkinsutotint.com
inslidr.com
dreamschools.online
Targets
-
-
Target
Request for Quotation.exe
-
Size
556KB
-
MD5
cfe607172762768ef0d28bd9d46459bd
-
SHA1
09c2fcae04979ac5eaa9a30efef0e59aa5bf034d
-
SHA256
08d17b9c0d3ab4eb79a38b0a500655f9f47bc3468718ae5b61d59d0b2b687e53
-
SHA512
f3931157cffc40e4aa783261cbbf59fe1698c637c2460dd98828eb0902e66dd006d3aa0e15a9cf17dd1a0396598842c970080ebf7b809813312fc0acdc229714
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Deletes itself
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-