General
-
Target
3904214c69427ca44fbe3dd2b567493d006578d13b50a22367dbbf547d7f714c
-
Size
205KB
-
Sample
220521-az5sgseafj
-
MD5
69ca5593a7f846a565a6d23a5013d883
-
SHA1
8a3e486b679d3df59a8b6064e674eb8ba511f9b9
-
SHA256
3904214c69427ca44fbe3dd2b567493d006578d13b50a22367dbbf547d7f714c
-
SHA512
f283633fb8414fbb54b601392acdcec7cddd786e36e493c5e8d288d4de50bac631bafcb455f9a5d34393a84313b628e2a9c7182e34c2d175092aa4401f44d1e9
Static task
static1
Behavioral task
behavioral1
Sample
PO0932083943974.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.0
b6fg
multlockmt5.com
mohajrannoor.com
robynhoodofretail.info
belinv.com
hotellasab.com
kibrismosad.com
xn--fxwm39aeb590h.xn--io0a7i
resetbrasil.com
tcsonhvac.com
theresav.net
bohoqi.info
machinafuturae.com
mambavault.com
xn--980am9a.top
yumiang.com
evntmonitor.com
83003kk.com
triterm.com
8800pe.com
silvanstudio.com
taragon-entertainment.com
ahly-live.com
ucpprint.com
betscrum.com
homehit.house
taab3.net
martiswatches.com
cartel-sinaloa.com
flyfuncenter.com
lezhen.top
aiotstairlift.com
selfless-entrepreneur.com
easttaiwansurftrip.com
descubriendonoruega.com
wicoru.com
tacmktg.com
callisterlawgroup.com
khogiaychinhhang.com
hobianak.com
pole-entrepreneur.net
callumjcummings.com
sgknox.com
xn--zuneauspolen-gcb.com
wwwjinsha622.com
everyoneschocolate.com
medlplayground.com
honeynray.com
whackajudge.com
alwarren.com
venglishhouse.com
quantumpearlpoc.com
movie4in.com
vytalhealthcare.com
sportsempires.com
xinhby.com
296djw.info
biblebeater.com
e-jie360.com
lemarcoambar.com
thekoulenresidence.com
iejel.com
sha256.equipment
j12mfg019y.com
clearlyconversing.com
magentos.info
Targets
-
-
Target
PO0932083943974.exe
-
Size
351KB
-
MD5
1e8d5e2871ef3da902db085c1b5c9e4f
-
SHA1
a3e42499d53bcf961dfbaceca2c3fb5fc4d54364
-
SHA256
dee1fa115a3e06310b958baca7bf709144f770de027ab3c615f6937b7544cd75
-
SHA512
bbba879de92397a2141aaa4e780a99e1434e171d31dd2698e97363518b140635c20adb98718073f7d2b12935a14bde61b70ff7d5d528058c4a50794b865f2446
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-