General
-
Target
01c9ef989594dd752b02d280530c117f0c744c18fe3351a9ef24e0a6b44c3191
-
Size
407KB
-
Sample
220521-a7x3lsedhn
-
MD5
664c9c6579b65a2c163c01689620599c
-
SHA1
bc88ce965ce15cafb5914b90918ab339bd96dbc3
-
SHA256
01c9ef989594dd752b02d280530c117f0c744c18fe3351a9ef24e0a6b44c3191
-
SHA512
13f6303b3129c1ca678a0131720bbae31c91444451a86abbb8cecde79103738357ade8a30c228d721b85e3ad84f05a39367493b7a106ad464246d6a0c40712e5
Static task
static1
Behavioral task
behavioral1
Sample
PO0932083943974.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PO0932083943974.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
xloader
2.0
b6fg
multlockmt5.com
mohajrannoor.com
robynhoodofretail.info
belinv.com
hotellasab.com
kibrismosad.com
xn--fxwm39aeb590h.xn--io0a7i
resetbrasil.com
tcsonhvac.com
theresav.net
bohoqi.info
machinafuturae.com
mambavault.com
xn--980am9a.top
yumiang.com
evntmonitor.com
83003kk.com
triterm.com
8800pe.com
silvanstudio.com
taragon-entertainment.com
ahly-live.com
ucpprint.com
betscrum.com
homehit.house
taab3.net
martiswatches.com
cartel-sinaloa.com
flyfuncenter.com
lezhen.top
aiotstairlift.com
selfless-entrepreneur.com
easttaiwansurftrip.com
descubriendonoruega.com
wicoru.com
tacmktg.com
callisterlawgroup.com
khogiaychinhhang.com
hobianak.com
pole-entrepreneur.net
callumjcummings.com
sgknox.com
xn--zuneauspolen-gcb.com
wwwjinsha622.com
everyoneschocolate.com
medlplayground.com
honeynray.com
whackajudge.com
alwarren.com
venglishhouse.com
quantumpearlpoc.com
movie4in.com
vytalhealthcare.com
sportsempires.com
xinhby.com
296djw.info
biblebeater.com
e-jie360.com
lemarcoambar.com
thekoulenresidence.com
iejel.com
sha256.equipment
j12mfg019y.com
clearlyconversing.com
magentos.info
Targets
-
-
Target
PO0932083943974.exe
-
Size
628KB
-
MD5
42e8fda0885f8ce54deaabab4d25f775
-
SHA1
f1173fbe2ddf0b031f4ee189e7448e0d13084595
-
SHA256
a0086dfee2dba4d6a0adab05e848cfbb9755f68be7adef3ff35ff9740e5a1c2e
-
SHA512
015521a434a05f8fcff947f1dc7bcebf1f1ad9d70dc44612ebed84dfd6de3af96ddf0439a994d0bd16e9e07dc888af20389b606824e700c2557ce95f0c802516
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Looks for VirtualBox Guest Additions in registry
-
Xloader Payload
-
Adds policy Run key to start application
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Uses the VBS compiler for execution
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-