General
-
Target
PAYMENT COPY.zip
-
Size
487KB
-
Sample
220621-g3rhlaeca2
-
MD5
1fff88b07a5cded5c4cf7bbdc6e99e51
-
SHA1
8d32fe3e3eaf255de22fc6cb264e3171d96d7e6a
-
SHA256
12dad12ea40f9ea651fb7f6fd53bd397f824111f1f57cd88f567fce0c71a2c6b
-
SHA512
daf2dd0d9301a7d21fa8f9a1f395deb37062dcce0c299404709521a90ba1035f5eb2c177f27a666be217fd8bd27c20b0cb419d4fc538faadd2d0954ae2b46d64
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT COPY.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.6
be3s
aoxaswa.info
souplab-graphic.com
churchontheisland.com
spclassic-cars.com
stanford-edu.club
heydowm.online
chattanooga-electricians.com
sectsk.com
cxg98.com
buildafricaonline.net
buydogcoin.com
vsst247.com
lodgelastrancas.com
ainonaho.com
griousndwarehsftyfs.xyz
voltagestabilizersupply.com
xn--79q565dzfex9hg81b.com
isrvr-ccrforum.info
chitiandi.com
criticaldisco.com
fxivcama.com
martinsalas12.com
stellar3.xyz
positivistapproach.com
drivecheckeredflagcdjr.com
ejxsj.com
vegastrader.net
srivedafireandsafetysystems.com
ssmrmt.com
alexander-stuart.com
bill-tj.com
ctgteams.com
gossipnode.com
c431s.com
kelleysheartinart.com
rusucatalin.com
beautifulcreativeconcepts.info
hongyanwulei.com
lhab.xyz
gpzdd.com
dailyprizes-2022.site
hollafashions.com
gecharity.com
villagegram.com
davisesinthesmokies.xyz
webandsundry.com
setthetonenyc.com
bayu122.com
lajollabella.com
ghazalceramic.com
soft-iwacu.online
haksography.com
karise.life
promobilelist.com
respecttheroyalty.com
17500teraholland.com
giraffeemarketing.com
canyouseelouise.net
watchur6.com
eqaq-tvzurp.xyz
onlinecumpar.com
watchdiving.com
austriatourguide.com
kavun2.xyz
mpmidea.com
Targets
-
-
Target
PAYMENT COPY.exe
-
Size
622KB
-
MD5
7d134d7411132c648a3e8c96b6512ddb
-
SHA1
ac36a8371466aa2cc72dd8de3d82c8ee79223358
-
SHA256
6754c12fc6c245becc9c5104eb4c130ee31217a4a8cdee324f468c2c26b4e051
-
SHA512
e27e1ad2543efead629e66a580be1cf4a8712c695d2d778c55cc93c6b3c870dd680040f318f1309f0d685352da5bfae8797fa02aa1f4cf8a1a07aeb7e4cc0550
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Suspicious use of SetThreadContext
-