General
-
Target
INQNEW#PO24052022,qdf.iso
-
Size
328KB
-
Sample
220525-razcvaahe9
-
MD5
c465d4c7469ae6b40cc77e8769fd4b27
-
SHA1
4b180fbfa958909a9505e9b7f625c6127c18789a
-
SHA256
62d4b809036b03226c7b5c36b6126d97cc1ecf915200146391bf05e74c58e874
-
SHA512
aff433a1ceaf907a031b5d5bc742efb79118819a48e508935335e2ab0a807f021deaaf369196d39464af81a39fa31f7f9b5f84431a5fec29f154ad37c1d065d3
Static task
static1
Behavioral task
behavioral1
Sample
INQNEW#PO24052022.qdf.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.6
be4o
laboratoriobioixcha.com
tictocperushop.online
wild-oceans.com
belaruscountry.com
kicktmall.com
fitcoinweb.tech
mores.one
gogear.one
gxrcksy.com
samrcq.com
impossible-icecream.com
bravesxx.com
bookchainart.com
sleepsolutionsofmboro.com
ocbrazilbusinessclub.com
advisor76.xyz
xitaotech.com
mgsdtytifgf3414.xyz
johnson-brown.net
cr3drt.com
virtualtourpro.store
transporteriocristal.com
fjbingjiang.com
minecraftrojectx.site
ttrcb.com
sexlarab.com
cxzczc2.online
doorsmm.com
weisbergiegal.com
skythinks.com
schoolsuperaty.com
swampbucketkids.com
networklogicsa.com
businessevs.com
gulfcoastclinicchiro.com
milliards.xyz
moviesquery.com
cycletostack.com
c0wkvo.com
inkingthings.net
cookvillecampgroundvt.com
rajeshprinters.com
binge-bane.biz
ginger9632-voice.cloud
1nfo-post.com
unta.xyz
liuhumu.com
khandaia.info
ha01qnscvts0l.xyz
liert.site
allflowmedia.com
6ibnuj9t.xyz
embravewise.com
responsabilities.com
apexges.com
ola-speechtherapy.com
pristinefarmlands.com
adaraateristiayote.store
journeyhomemeditation.com
96238.top
nosipokip.site
itt-service.com
bw590jumpb.xyz
relieveyourdog.com
qiyeweiiliaoo0428.com
Targets
-
-
Target
INQNEW#PO24052022.qdf.exe
-
Size
276KB
-
MD5
ebb0fecde4a2e88c63c27c82810113b5
-
SHA1
c5658bec21ea4dfe2d0a66089d2d18bf081c778f
-
SHA256
df1b0eef4f32a5c2527691175375962957db71bc913d37f6e71150e599b2b31c
-
SHA512
05960c717d5f30ca5b1424a3a2806c2a7a00b6ec4a3949bdb7db4d7f5fd885119cf18cbb752537ddcb7bc277ecf683d060c40baee3ac6bdb6f76cb5a50598ad8
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-