General
-
Target
Catalog.exe
-
Size
880KB
-
Sample
220621-nl5r8afeb9
-
MD5
d880e2de89f81c41584300562970fb92
-
SHA1
edf38c0c4eaa77d865f25ea92fd9e09168893228
-
SHA256
085917245898b3d25910807103748a579b389697e79bdceb82b043f66b86a130
-
SHA512
8a5a7e5625ae41bc438f9fa91cc556bcf4e471ffac99d11a64b7dfc2fbb833789c22007a69282729ac895a5ae3a3c8d9f791fa9a7bf2d88a7c0b7d2285572f80
Static task
static1
Behavioral task
behavioral1
Sample
Catalog.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.8
nmd2
FNWENUOMqqSv0Q==
ls6DEbQ1KBCeSsvUyRg=
mwgrjwpFplaykGoT
Uzzj8yXi13iLMnNGZcnViQliwA==
T7vzj0l0lqquyA==
csHzBjwvF7rmjcmWxjThd61NuuVl4gQ=
YaXyTwg3p1vrf/n9kYJQjrc=
cHAfFEI1JKDF4mTsGjDbeg==
TdDv+o9VSFep3wgTtY0swqQ=
Jw66vdyXdRZG9jJZycLD
icGvsuKZgXNid1M=
6m6H0GvguY+vZZpcioudbQ==
kNUBYMuymhgm2b0q3bEAiQliwA==
M3SiAXRbVe0XAsxDOIp6cg==
+eWLk+HjRRe3LuyavQ==
753R3QYD8XOWtWI0ouGpYw==
dRg+bQZ6TSbC8Sbs2mXXxLM=
kDlUsE+U7Y/RfUQ=
oENlcFZVqqSv0Q==
HCC+nbachxEs1f29GjDbeg==
ctsJlTxo3LFbK0RZycLD
VAV965YJquX+b2gE
wUpcvG0A0kxkhA6dsxec/Ufb
+Kzh3Pz/WTFKLuyavQ==
5IBvVoiTqqSv0Q==
qhS7ELozBsxWGdGNLWXXxLM=
sIdm8Gid7Y/RfUQ=
o9jFl8KnrZEe2UrO2mXXxLM=
eecJaOIceBS8YCLfz2XXxLM=
wvauO+RYyniHRncupG0Ten2V2PDf
meDvRhWM7I/RfUQ=
LlL2kO+2mQQBt6Mbi3M85yXR
/5hqNCjixE1T+DRZycLD
mghXL0b5y1BTAeKFZgcVnbs=
vpRLqCgVpBo+
MhWVgapZL/AkxgTV9WAniQliwA==
G1w14UrRoHGpQ2UVK4BOy+cryA==
Xfjtvd7Rx2B9KWsoP7tp2dGrHmR49g==
YV3YuM5Fbwwp
6l5Yu2CUBLdfCsCe1E47UUFRqOVl4gQ=
zvsbe+zuUwGeQ8vUyRg=
1cI0GBeUfY/RfUQ=
nWgfnkDEUGOJLuyavQ==
0bosGEv++89jmJdZycLD
k55xymOPqqSv0Q==
9Vo/hSEVpBo+
Goh71Ec2I5igPHhLh/mfMmK1d4RK4BA=
ejin8nSfnQonPPibLWXXxLM=
yQUskS2vGpw=
YCbKnMOAcS5Y+zBZycLD
UsS4CoF4lqquyA==
FpSWpcVFbwwp
vFSrpMeaqqSv0Q==
tFR01kVKp0L6IRiD9c7Of5Gus1L3/g==
yr44IihjQHNid1M=
2VRJm0F25df4EZY9bdXViQliwA==
jm/jvLpEJfmbUfbOAH5IaYmZTuVl4gQ=
iYId/jAYAao9W1Oz20NHfcakEBY=
tiUNWfcurI6YSYQ5U7m4ysDQLVBMgdA6iw==
ZeixX31Fbwwp
7FBmslXBOQwbzrIwoXNBiQliwA==
VVr3w7qAY8/hAH5hZsDU
vDlm1IsR5KjVf276e18NPWGBTOVl4gQ=
IxGhEq722C9Yfbn6GjDbeg==
gelasbeauty.com
Targets
-
-
Target
Catalog.exe
-
Size
880KB
-
MD5
d880e2de89f81c41584300562970fb92
-
SHA1
edf38c0c4eaa77d865f25ea92fd9e09168893228
-
SHA256
085917245898b3d25910807103748a579b389697e79bdceb82b043f66b86a130
-
SHA512
8a5a7e5625ae41bc438f9fa91cc556bcf4e471ffac99d11a64b7dfc2fbb833789c22007a69282729ac895a5ae3a3c8d9f791fa9a7bf2d88a7c0b7d2285572f80
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-