General
-
Target
0be2b3666584ba80d0c8ae2606b95be719dc38fbb04a6059cc34529825996d53
-
Size
251KB
-
Sample
220521-pzct2agcb9
-
MD5
cdcb31f9b23b96c5b90a0d34a73b2781
-
SHA1
5c949be4f712dd59864872b198bb5ae823c2ca8b
-
SHA256
0be2b3666584ba80d0c8ae2606b95be719dc38fbb04a6059cc34529825996d53
-
SHA512
e5f54ed1710b32b9d9b7f0ca4da630df186b4292198114c6cb2ae8c4b2aa214a49b8d92b92cb7876a8b5e673b0d382af645136343756ccd572c7bf320d9c344e
Static task
static1
Behavioral task
behavioral1
Sample
Scan_order9215060196.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.0
war0
siompany.net
55667879.com
smallmouth.net
fordforlano.net
placadesilicon.com
btw-butler.com
almbeauty.com
jbthomson.com
presidentialtennessee.com
chiropractorinnorthport.com
yourber.com
get-luxurycruise.rocks
strakellc.com
eukncg.info
pablovergara.info
sologoods.com
toledovista.com
weightlosscoffees.com
echoawyer.com
csproductionsmedia.com
dwspd.info
thetruketo.com
babiescamerino.com
buyamzproduct.com
qhccwcyy.com
beyondt2p.biz
hesvjgg.com
4twentyicecream.com
collagenwaveofficial.com
bestsellingnovelty.com
butterflywarriorshop.com
r-city.info
on444.com
univers-travel.com
mandarinasinpepitas.com
hakupu.com
lokmitrabloodbank.com
autotrasporticanale.com
espiarwhatsappenminutos.com
satnanews.com
xhtd645.com
lucidabright.com
qushipower.com
del-cafes.com
kanatrevor.com
lauras-augenblick.com
maydaytravelsandhospitality.com
weatherclan.com
kikmessengerforpcs.com
albergue-pintueles.com
koshermykonos.com
grupoeysh.com
enchantedpincushion.com
northwindcharter.com
coretrainerpro.com
bestfamilyfinance.com
www334678.com
justinmo.com
mienert.net
radgirlonline.com
sports-picture.com
jiankanggansu.com
cnoemsoft.com
fitlifereport.com
magentos.info
Targets
-
-
Target
Scan_order9215060196.exe
-
Size
327KB
-
MD5
3902d05dd23263e123e94136dbde2f38
-
SHA1
a106c76ed170064b60a541a4533b2610e7e652df
-
SHA256
896745863d78a02b1cf02565dbeb3bca4bfd156a1079d28c07ddfb2d8b9fc665
-
SHA512
1900a2b722bc099bf4733c412db310916a4258b6482d6676a47332983c299d03a89e04f8614f49be3bd43ee464aef7d3ac66f6c5bf378601b7f77e06c969c881
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-