General
-
Target
288af22386d598b4f132cdd48af047726697d5be16b5e7757eab935e54605c44
-
Size
506KB
-
Sample
220521-pajahsabbm
-
MD5
1a0492c001243799355edeeee6763f1f
-
SHA1
ed8993990e707bd5f7e48b7dc676c82c0cbe85ca
-
SHA256
288af22386d598b4f132cdd48af047726697d5be16b5e7757eab935e54605c44
-
SHA512
f1880ea27a86010595b45f271ce8f3293f1cb239a101f073d4574cfed37fd49f285da56bbe80e8f62029d653d21b041b7bf18411c95017597ba55507f4939093
Static task
static1
Behavioral task
behavioral1
Sample
PO894749745.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.0
b6fg
multlockmt5.com
mohajrannoor.com
robynhoodofretail.info
belinv.com
hotellasab.com
kibrismosad.com
xn--fxwm39aeb590h.xn--io0a7i
resetbrasil.com
tcsonhvac.com
theresav.net
bohoqi.info
machinafuturae.com
mambavault.com
xn--980am9a.top
yumiang.com
evntmonitor.com
83003kk.com
triterm.com
8800pe.com
silvanstudio.com
taragon-entertainment.com
ahly-live.com
ucpprint.com
betscrum.com
homehit.house
taab3.net
martiswatches.com
cartel-sinaloa.com
flyfuncenter.com
lezhen.top
aiotstairlift.com
selfless-entrepreneur.com
easttaiwansurftrip.com
descubriendonoruega.com
wicoru.com
tacmktg.com
callisterlawgroup.com
khogiaychinhhang.com
hobianak.com
pole-entrepreneur.net
callumjcummings.com
sgknox.com
xn--zuneauspolen-gcb.com
wwwjinsha622.com
everyoneschocolate.com
medlplayground.com
honeynray.com
whackajudge.com
alwarren.com
venglishhouse.com
quantumpearlpoc.com
movie4in.com
vytalhealthcare.com
sportsempires.com
xinhby.com
296djw.info
biblebeater.com
e-jie360.com
lemarcoambar.com
thekoulenresidence.com
iejel.com
sha256.equipment
j12mfg019y.com
clearlyconversing.com
magentos.info
Targets
-
-
Target
PO894749745.exe
-
Size
720KB
-
MD5
c705b518d1ca69c0443f2f5eb0e655a2
-
SHA1
aab7fb45b724954b382f93a3aebc5109f7fb4138
-
SHA256
371a78d5f848b70de0d716586851eec55e92fc1e4e5898943c62c67a99c9e07a
-
SHA512
fe206b5f73624134eecf339d134384a66d44fc8a890f67e4b2fa1867caa10106b5e715343885f945d4f145b52c944caec9abe4e04126904944d9735766fc8501
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-