General
-
Target
Shipping Documents.exe
-
Size
682KB
-
Sample
220621-hxmswscbap
-
MD5
c64c0beab3c9f90e245fe3b579e6ace9
-
SHA1
e7d007829dfe83b8d05b50b21b0cde655f966234
-
SHA256
6d7cae2e6900b4498dc7531835fa27a6cb76f8dfd2b3c466a1d47f7a2f479706
-
SHA512
9ef85af52dcdf5c064de6559c1085e41359d1e9a1318209554097aa9934ea3cc438cd1b312e3ebbcbe4b889c5d3420ea2ee63926f296072a20ac82a45e602dc6
Static task
static1
Behavioral task
behavioral1
Sample
Shipping Documents.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.6
gwsr
colagiovanniginecologa.com
amanda-aiello.com
7859000.com
getklim.com
amplequeen.com
presencelarning.com
scuralliphotography.com
xhbafw.com
mxhdkt.com
belmarmassage.com
kaunahijab.com
xcxcxcc.icu
womamwhims.com
fixuplooksharp.xyz
ijtshopingit.website
inveztcorp.com
zjgdaikin.com
yasvip-ud5.xyz
adsocius.net
wabo229.xyz
leelang.cloud
foreachagency.com
sportsbettingthru.com
airthle.com
wagmi-lab.com
ugnsecurity.com
qualityzip.top
xtckw.com
studiomgpandino.com
improvement-home-loans.website
wno-xrswuy.xyz
matqon.com
premiumthaipapers.com
meida-group.com
cateyeslook.top
gtechsunset.com
wfbjhre.club
desinlondon.com
mypetersonfamilysweb.com
itineraries8.com
wolfpack-mgmt.com
vehiclemitraa.com
wambacircle.com
nischoldeo.com
douchebagshirt.com
housetiffin.com
gamesnewsblog.com
asistax.tech
equipspares.com
valorplug.com
zahratalawdehstore.com
kazax-stor.store
ihnugann.com
livesoph.club
nhg-jppmyn.xyz
difers.com
carolinafampa.com
zsxmall.com
therunningironcafe.com
ideafromthevoid.com
51xsmei.com
jaliving.com
goldenhearts.xyz
aquinochiro.com
paranoidpersian.com
Targets
-
-
Target
Shipping Documents.exe
-
Size
682KB
-
MD5
c64c0beab3c9f90e245fe3b579e6ace9
-
SHA1
e7d007829dfe83b8d05b50b21b0cde655f966234
-
SHA256
6d7cae2e6900b4498dc7531835fa27a6cb76f8dfd2b3c466a1d47f7a2f479706
-
SHA512
9ef85af52dcdf5c064de6559c1085e41359d1e9a1318209554097aa9934ea3cc438cd1b312e3ebbcbe4b889c5d3420ea2ee63926f296072a20ac82a45e602dc6
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-