General
-
Target
tmp
-
Size
1.1MB
-
Sample
220506-rxm84acffq
-
MD5
f2b83c2075be8c51ada1ac1b2366095e
-
SHA1
f1dbf47b7e225bd92bd8d1a14ea832117f7c1037
-
SHA256
dbdd02d3fc196dd03b6f970e8bb08d82896d35b72878c09daa0ab36efcb19cf0
-
SHA512
7fdaf5cb281658bd7a8e4088ec8609a3bdd0b07bd029cb8390c9ff3823c854d2d51462bfc4bca8cf2af709e1986ee9eaec33c0be4ca68c759e631e31d85470fe
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.6
arh2
hstorc.com
blackountry.com
dhrbakery.com
dezhouofit.com
defipayout.xyz
ginas4t.com
byzbh63.xyz
qrcrashview.com
mialibaby.com
enhaut.net
samainnova.com
yashveerresort.com
delfos.online
dungcumay.com
lj-counseling.net
fliptheswitch.pro
padogbitelawyer.com
aticarev.com
sederino.site
bestplansforpets-japan3.life
radicallysimplesupps.com
sandbagmaker.com
misdcf.xyz
nbpz.xyz
floridasunbreaks.com
justfinishesofcolorado.com
homemethtestkit.com
chaquetashapticas.com
zodiactshirt.com
tees.email
zxzx999.com
tempepdf.com
watchusroll.com
parotacenter.com
assistcourse.online
paulstilingroup.com
cnbcfx.com
mooncore.xyz
laplugnation.com
gosti24.com
cthomassolutions.com
rkhubs.com
aboutpier.com
multimediaroomandboard.com
iamparrot.com
wifitest.info
nounworld.com
xpartner.biz
128grandviewdrivenewportnsw.com
bakiin.com
suitcell.com
onehitgamerstudios.com
bathingsuitsshoppingus.com
wingstarifa.com
ccasudqi.com
epiconscious.com
ponponshoes.com
cicom.tech
safetynetinc.net
recanto.xyz
sellsidelite.net
kevmoinesproperties.com
hdwallpaperpics.life
57gznfw.xyz
abtys6.online
Targets
-
-
Target
tmp
-
Size
1.1MB
-
MD5
f2b83c2075be8c51ada1ac1b2366095e
-
SHA1
f1dbf47b7e225bd92bd8d1a14ea832117f7c1037
-
SHA256
dbdd02d3fc196dd03b6f970e8bb08d82896d35b72878c09daa0ab36efcb19cf0
-
SHA512
7fdaf5cb281658bd7a8e4088ec8609a3bdd0b07bd029cb8390c9ff3823c854d2d51462bfc4bca8cf2af709e1986ee9eaec33c0be4ca68c759e631e31d85470fe
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Looks for VirtualBox Guest Additions in registry
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-