General
-
Target
39aff459babaf4488ea90b5e81e463044d4ad3b8a17a3bfcb247725a288db025
-
Size
274KB
-
Sample
220521-azydeabag8
-
MD5
d114e8d71cc065c1019da2c071c9541c
-
SHA1
9143b3372a32c79f06f8b8cc3098f390a0db17d7
-
SHA256
39aff459babaf4488ea90b5e81e463044d4ad3b8a17a3bfcb247725a288db025
-
SHA512
528e53706096a0e2d619f678390b7d520090db5df92a25832ee23a59acf07d01ea769d31d9f13c2cfd2eb84f9c85c8de62b95dc769f369d79e5efb47cb476c33
Static task
static1
Behavioral task
behavioral1
Sample
PO0932083943974.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.0
b6fg
multlockmt5.com
mohajrannoor.com
robynhoodofretail.info
belinv.com
hotellasab.com
kibrismosad.com
xn--fxwm39aeb590h.xn--io0a7i
resetbrasil.com
tcsonhvac.com
theresav.net
bohoqi.info
machinafuturae.com
mambavault.com
xn--980am9a.top
yumiang.com
evntmonitor.com
83003kk.com
triterm.com
8800pe.com
silvanstudio.com
taragon-entertainment.com
ahly-live.com
ucpprint.com
betscrum.com
homehit.house
taab3.net
martiswatches.com
cartel-sinaloa.com
flyfuncenter.com
lezhen.top
aiotstairlift.com
selfless-entrepreneur.com
easttaiwansurftrip.com
descubriendonoruega.com
wicoru.com
tacmktg.com
callisterlawgroup.com
khogiaychinhhang.com
hobianak.com
pole-entrepreneur.net
callumjcummings.com
sgknox.com
xn--zuneauspolen-gcb.com
wwwjinsha622.com
everyoneschocolate.com
medlplayground.com
honeynray.com
whackajudge.com
alwarren.com
venglishhouse.com
quantumpearlpoc.com
movie4in.com
vytalhealthcare.com
sportsempires.com
xinhby.com
296djw.info
biblebeater.com
e-jie360.com
lemarcoambar.com
thekoulenresidence.com
iejel.com
sha256.equipment
j12mfg019y.com
clearlyconversing.com
magentos.info
Targets
-
-
Target
PO0932083943974.exe
-
Size
450KB
-
MD5
cc034757c9d872b0a95e4a67967e50ac
-
SHA1
607ec4ab698dffdd9b0546f3a030a88fdd6ce8b7
-
SHA256
0047270c26f603d132bc8e6a67894311356fe2d3c977aa287a09a8261f6b5690
-
SHA512
78cbacad75abf582651694af5edf2b1b479851f43bff1cefbd422943e4ebd232c54d0b00e58314760c47ccb1b9d9b433f1ff6686936091a7dd1929173e2638d8
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Looks for VirtualBox Guest Additions in registry
-
Xloader Payload
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-