General
-
Target
PO#101581.exe
-
Size
869KB
-
Sample
220521-lz2xdabfc6
-
MD5
95f35b3fb58633c97069fe1bc12f39f5
-
SHA1
e1ee2cf79953cc0f472c9b3af9fcc389a5bc492d
-
SHA256
151572bec6e274bad481a8c0736a4888931c086f3fdf890be9811eae7c0c0c36
-
SHA512
358656d5e219d138a56e25f54b890a98062b5539db4da25685e659276ecfafa68c00ffa83383dac8d35cfe6270eec87da8b306a61a125128869e61ffb934d050
Static task
static1
Behavioral task
behavioral1
Sample
PO#101581.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.6
ssmm
bhealthybu.com
formasyonlar.com
huddleadvising.com
iroofer.net
pokerisparadise.com
partnrsocial.com
omnixinity.com
sandibet.biz
xxxpool.xyz
mainsuranceagency.com
filipkaarrtofffers.online
txgongsi.com
bonasuplementos.com
sxp89app.space
grandeurjewelryph.com
productsorcerer.com
mrussellhandyman.com
igorstelea.com
cateraevents.com
yashaswistudio.com
stuy.top
canadianpharmacyonlinesrvh.com
sellmorecrm.com
chinadoorexpo.com
southlandfiltration-au.com
bca-landing.com
pinetreemusicclass.com
sandboxes.biz
executiveparkfly.com
ourfutures.biz
cqxcfn.com
gruberhome.com
wildbluewonder.net
6675fh.taxi
krnl.xyz
gilmaria.com
riku.agency
smonique.com
lrlbgruchi.quest
chwrell.com
triumcyber.com
bigtimetickets.com
arthashasthra.com
abs-traders.com
brownhorsecoffee.com
iaintgotish.com
lanhodiep247.com
caitlinmemorial.com
thefatreview.com
upchurchconcertmerch.com
prestaservices34.com
longnanjrq.com
mechaotherside.land
gennieclean.com
xzgtgg.com
furunhasan.xyz
timmarriottinsurance.com
its-my-pleasure.com
xviseos.red
combatiq.info
moncelebrantdemariage.com
yukselercanmedyagrup.online
zillionsband.com
radicalmalls.com
g2r5v2pp.xyz
Targets
-
-
Target
PO#101581.exe
-
Size
869KB
-
MD5
95f35b3fb58633c97069fe1bc12f39f5
-
SHA1
e1ee2cf79953cc0f472c9b3af9fcc389a5bc492d
-
SHA256
151572bec6e274bad481a8c0736a4888931c086f3fdf890be9811eae7c0c0c36
-
SHA512
358656d5e219d138a56e25f54b890a98062b5539db4da25685e659276ecfafa68c00ffa83383dac8d35cfe6270eec87da8b306a61a125128869e61ffb934d050
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-