General
-
Target
order confirmation payment copy.exe
-
Size
29KB
-
Sample
220222-r9we8sabd8
-
MD5
52b704a5b91990616f13578732a79b97
-
SHA1
fd6c83a29b70dbe8fa9dbc5971ec03f403c5061e
-
SHA256
678f04893ab76acac51db1dbfc38aa7b5bc442055e00d6f4dbc209e8d065b086
-
SHA512
416fc722b9d7d327479666bbec60fe72117cdcf7eae58265004de483641c363601b6267a4c2367256d37a2498fd44ebe6ba675c642846a378b880cbd244c0056
Static task
static1
Behavioral task
behavioral1
Sample
order confirmation payment copy.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
order confirmation payment copy.exe
Resource
win10v2004-en-20220112
Malware Config
Extracted
xloader
2.5
po6r
jnhuichuangxin.com
mubashir.art
extol.design
doyyindh.xyz
milanoautoexperts.com
4thefringe.com
453511.com
sellathonautocredit.com
velgian.com
6672pk.com
wodeluzhou.com
sumiyoshiku-hizaita.xyz
imoveldeprimeira.com
dgjssp.com
endokc.com
side-clicks.com
cashndashfinancial.com
vanhemelryck.info
agamitrading.com
woofgang.xyz
atnetworkinc.com
malleshtekumatla.com
com-home.xyz
buildyourmtg.com
viairazur.xyz
drproteaches.com
amaznsavings.com
karencharlestonrealtor.com
bootstrategy.com
mimtgexpert.com
sebzvault.com
brtaclub.com
gicarellc.com
annehonorato.com
rafalgar.com
bergenyouthorchestra.com
entrevistasesenciales.com
thekneedoctors.com
grosseilemireal.estate
celestialdrone.art
bouwdrogerhurenvlaanderen.com
koppakart.com
irishykater.quest
blinglj.com
editorparmindersingh.com
klnhanced.quest
divinebehaviorsolutions.com
amprope.com
futuracart.com
ditrhub.com
eaoeducationprogramme.com
smartplumbing.services
revelandlaceevents.com
bikedh.xyz
pacificdevelopmentstudio.com
palisadesskivacation.com
happy-pets.xyz
killyourselfnigger.com
sonicdrillinginstitute.com
alibabascientific.com
sh-leming.com
aseelrealestate.com
lohmueller.gmbh
ngoccompany.com
healthonline.store
Targets
-
-
Target
order confirmation payment copy.exe
-
Size
29KB
-
MD5
52b704a5b91990616f13578732a79b97
-
SHA1
fd6c83a29b70dbe8fa9dbc5971ec03f403c5061e
-
SHA256
678f04893ab76acac51db1dbfc38aa7b5bc442055e00d6f4dbc209e8d065b086
-
SHA512
416fc722b9d7d327479666bbec60fe72117cdcf7eae58265004de483641c363601b6267a4c2367256d37a2498fd44ebe6ba675c642846a378b880cbd244c0056
Score10/10-
Modifies WinLogon for persistence
-
Xloader Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-