General
-
Target
d8e0769ada04d3face55959134a7eee5e55ef10f65eedeae65d9218e4371ace4
-
Size
445KB
-
Sample
220521-nzgbsaheck
-
MD5
6e5c8107462ffed31886a7f9491722af
-
SHA1
61d5bd761f346d04d94e653e51898f1c588d7c4b
-
SHA256
d8e0769ada04d3face55959134a7eee5e55ef10f65eedeae65d9218e4371ace4
-
SHA512
62cf74a241a097a0892089e1ba90edfe1dc813b891b18458c58af722896fac08c13f03e66ffd0e39e29641cf54309253aa646754fdb3da3aef17e2d9bddeb093
Static task
static1
Behavioral task
behavioral1
Sample
PO328632.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.0
b6fg
multlockmt5.com
mohajrannoor.com
robynhoodofretail.info
belinv.com
hotellasab.com
kibrismosad.com
xn--fxwm39aeb590h.xn--io0a7i
resetbrasil.com
tcsonhvac.com
theresav.net
bohoqi.info
machinafuturae.com
mambavault.com
xn--980am9a.top
yumiang.com
evntmonitor.com
83003kk.com
triterm.com
8800pe.com
silvanstudio.com
taragon-entertainment.com
ahly-live.com
ucpprint.com
betscrum.com
homehit.house
taab3.net
martiswatches.com
cartel-sinaloa.com
flyfuncenter.com
lezhen.top
aiotstairlift.com
selfless-entrepreneur.com
easttaiwansurftrip.com
descubriendonoruega.com
wicoru.com
tacmktg.com
callisterlawgroup.com
khogiaychinhhang.com
hobianak.com
pole-entrepreneur.net
callumjcummings.com
sgknox.com
xn--zuneauspolen-gcb.com
wwwjinsha622.com
everyoneschocolate.com
medlplayground.com
honeynray.com
whackajudge.com
alwarren.com
venglishhouse.com
quantumpearlpoc.com
movie4in.com
vytalhealthcare.com
sportsempires.com
xinhby.com
296djw.info
biblebeater.com
e-jie360.com
lemarcoambar.com
thekoulenresidence.com
iejel.com
sha256.equipment
j12mfg019y.com
clearlyconversing.com
magentos.info
Targets
-
-
Target
PO328632.exe
-
Size
777KB
-
MD5
9f5b32d6839c520b18b9ba182e3c47e7
-
SHA1
dac91fc3f2dcdc37262418f60b743b52770312b2
-
SHA256
e1791b23657d18fc636878f24a44a32f1a2ae4814668600b14b10c03e48c587c
-
SHA512
7e9e796be039ff6a60dd8fe5e2bc2d64634a85d0998267148ebbfd02e870faf241fc2cb9c178ddab8ef8a5e65bdeb0ad3db004bedd6439df54e1922667ebc5cc
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Deletes itself
-
Suspicious use of SetThreadContext
-