General
-
Target
RFQuote.PDF.exe
-
Size
767KB
-
Sample
220616-jfs41shbfk
-
MD5
c391e7482ede48d44965004653d83212
-
SHA1
c7142f7f7c882b0822a5ad89de5d4d9bd971f100
-
SHA256
43963e1c6c61b149cecadcf3d653c197836f104e2396a174ff0cfae18f041ace
-
SHA512
4803bf638f4fb399fcb27be17550aad6aed8427c949d53017d73dc0ede0be3efc29aa01a5b138c16543fdcf6b592b248199da812c2e557950611b79408733342
Static task
static1
Behavioral task
behavioral1
Sample
RFQuote.PDF.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.6
heqa
ygonetwork.com
galegrant.site
giaxemercedesbenz.com
airambulancedhaka.com
wombo.online
grandthumproject.com
wearegirls.net
zcywe.top
ioss.store
yms97b.xyz
yobe.online
estudioslacostadelsol.com
www17666.com
imw23ctjgna.xyz
opentextscientificresjrnl.biz
918oom.com
justapassenger25.com
soulpieces.net
cmtmetalfinishes.com
wishwishtrue.com
trafficsafetyaustralia.com
raganoremodeling.com
greenblackrealtea.com
tracymakeingjewelry.com
paisajismoaldunate.com
kizzdanielafterpartyldn.com
fzytjcs.com
kawaguchi-kaatsu.net
fotomaciel.com
ippolita-shop.com
ibuytool.com
101edumy.com
anticaforneriadirecco.com
philliplimshop.com
barun2875.com
muebleriatrascender.com
officinavalore.com
spectrumbuissnes.net
tradeallthethings.com
novayaart.online
rem-lg.com
visualfeasthealthyskincare.com
exotix.space
sawdustandclay.com
204ewashington.info
renchies.com
scenic10.com
fersegranit-granite.com
kalasrijan.online
1805daniels.com
wchbie.com
shit.doctor
ty4rico.xyz
jinghongly.com
cilegonkabloker.com
tfsbillpayment.com
qtechhrms.com
hypocriticalcynic.com
agenciaalfa1.online
fauxluxeshop.com
apupnamedscoobydoo.com
nextsurfcoaching.com
myroiteams.com
jubeltrubelevents.com
ae3655live.xyz
Targets
-
-
Target
RFQuote.PDF.exe
-
Size
767KB
-
MD5
c391e7482ede48d44965004653d83212
-
SHA1
c7142f7f7c882b0822a5ad89de5d4d9bd971f100
-
SHA256
43963e1c6c61b149cecadcf3d653c197836f104e2396a174ff0cfae18f041ace
-
SHA512
4803bf638f4fb399fcb27be17550aad6aed8427c949d53017d73dc0ede0be3efc29aa01a5b138c16543fdcf6b592b248199da812c2e557950611b79408733342
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Suspicious use of SetThreadContext
-