General
-
Target
48dd5584cf3d6c0930f09e335d98d4fd
-
Size
294KB
-
Sample
220217-xbmckadbe5
-
MD5
48dd5584cf3d6c0930f09e335d98d4fd
-
SHA1
a072e576904888726dda9ad1c61673492cd72eae
-
SHA256
22d5552fed81b606509972d3c12830cd2cfcd77ec68a8791706099e97b2c1bad
-
SHA512
95492bb4e2a9f51f5ff547d2b7e534787cac49d7004a146bdf3df01d7f22f478a7f89f19f1fb411487d8b58b153223e093db44fc6441696091302459d6c3b9e9
Static task
static1
Malware Config
Extracted
xloader
2.5
t9hh
mine.vin
terpenebase.com
potomarket.com
lmaproshop.com
multitecsd.com
vacationrentalsct.com
france-gravure.com
schoolq8.com
caravan777.com
mimtgexpert.com
animesomurie.com
buscalogps.online
legionstudio.net
pdam.top
galapaleso.quest
gulfweeks.com
sedonasuperfit.online
arab-xt-pro.com
fifeapartment.com
pitchgiving.com
ebonyassworship.com
rrrl.space
souscription-ingdiba-ag.com
778tt8.com
karistell.com
novasaudeg1.online
nobis.care
weirdwoman.info
pet-field.com
vnpt66-it.com
manyi-pcsc.biz
bodillion.com
ishirmansingh.com
arrowsmarthr.net
waszom.com
boundlessbeliefs.com
sangs.info
encominate.com
bellesonbroadway.net
golfbombs.store
themerchplug.com
garethjame.biz
lamaisondesmamans.com
gutimautpribuinropgroup.com
kurzundklar.com
pinpointmarket.com
royalprestigehospitality.com
dunnfamily.party
nystmail.com
pconsciousness.com
matranutricion.com
themagneticpro.com
earches3.com
lostformailtoyof2.xyz
battletabs.xyz
spotondigitalsolutions.com
blinglj.com
priceonpole.com
dobsonfryedentist.com
maktabeahlesunnat.com
mcr-llc.com
lens-experts.com
thgn38.xyz
mciedalu.com
stichmarketing.com
Extracted
njrat
0.7d
Slaves
hom135.ddns.net:100
d4903fdacbb79e6cd1109a741a2bc821
-
reg_key
d4903fdacbb79e6cd1109a741a2bc821
-
splitter
|'|'|
Targets
-
-
Target
48dd5584cf3d6c0930f09e335d98d4fd
-
Size
294KB
-
MD5
48dd5584cf3d6c0930f09e335d98d4fd
-
SHA1
a072e576904888726dda9ad1c61673492cd72eae
-
SHA256
22d5552fed81b606509972d3c12830cd2cfcd77ec68a8791706099e97b2c1bad
-
SHA512
95492bb4e2a9f51f5ff547d2b7e534787cac49d7004a146bdf3df01d7f22f478a7f89f19f1fb411487d8b58b153223e093db44fc6441696091302459d6c3b9e9
-
Xloader Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Modifies Windows Firewall
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Suspicious use of SetThreadContext
-