General
-
Target
6642355995836416.zip
-
Size
286KB
-
Sample
220315-s419zabedp
-
MD5
0c45d32e3440162217fc6dd317d3651a
-
SHA1
6b58afced8635473f4f0c388b0c131fca1df13a9
-
SHA256
cd345e01247d238120214ea6f636e688fa5b15f37454ff6566bf1ddd77f471be
-
SHA512
a56a59b032ccaaeb8d6a424837ca06662c14eb549ce3cf3aca9ad55596edc15d99129d4697e282e15bfed9a3799fb24fce1231051f2ae3b9bfaa91df856c9173
Malware Config
Extracted
xloader
2.5
qatv
sexycurvycool.com
webundefinedstaging.website
gaspeehaze.com
adomnaturals.com
best10canadianreviews.info
nikekogan.com
5537sbishop.info
khonnaisoi.com
cures8t.com
garthoaks.com
belvederepharmagroup.com
chivo.plus
qishanlin.top
ccjon1.com
biz-financeagency.com
bdqimeng88.top
3-little-pigs.com
ord13route.art
webku-trial.xyz
ncgf28.xyz
Targets
-
-
Target
f44d75390275e2f15ea0111de765cdaede7436331101363ba1db17b74f8cd88e
-
Size
864KB
-
MD5
fe330e62ee592637466d5def2358afa8
-
SHA1
62bb2ec1f62e38b9c2605ba661b85ac10cddefe0
-
SHA256
f44d75390275e2f15ea0111de765cdaede7436331101363ba1db17b74f8cd88e
-
SHA512
ba59ac6e0070aae34b5cc98b6ba041f21fbbb52cd2e4551bc30a0570aa48175abb2c2aef14886bfc54128d080558e5dfd20f8800f572d7286dfa242c7032a9d2
Score10/10-
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-