General
-
Target
tmp
-
Size
451KB
-
Sample
220621-qz8r5sdgcj
-
MD5
9e1bb80ff1f6f5181ed26c62ef3de29d
-
SHA1
5c37096275b5947dfd68ccacc92eec204fa73883
-
SHA256
a92f8917b2e98217ede5359f7906dd0a60df26e087a1e1c33b81797a334fb448
-
SHA512
f1493090882bbe106508b50a0dcc8ac9966b157837f3d3d428b5b1977bcda3ea00eb067b5f925add5a38e069cfb4e7ce63be49ba8db29b23eb171290226e7004
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.9
rb1k
Hy3kKk3exSb8BwggZ6MfKxQ=
NCL+/Dy1jhSUG9mRm0U=
wWOomCbzt4pHcH22F16ZDMRcKw==
WTIg8VQo+NeSJsTaLk6M9XQi
GxTnP34PxKGMqI0aDg==
BCLmUMWYgpQ0hmDGRvcILQM=
ILk0ukAA71UFWNrW
aHq3rPmIgJpVF+C9GQ==
8jYg+GYnGycf+ufa9Fo=
gQpOLax1ZUbL5at4u1SkP/XMaS0=
s1abd4QIyia5Ta6zEUSM9XQi
JDL1dr1IE+a1q4zB
24b2gBbkpvG81Nh1rLjxJw==
U5KEePzSsY5a/WYuVdUXnycmbPcnk6RB
D+TYrgrRwtaL5YIUEQ==
T1gpjLMr70QZODL8/UOM9XQi
f3Efb+StKpP+MQ==
fUfDKVLlzfcCFgo=
23rI2NitbuCL
ypQDXuCwKpP+MQ==
HAb9/o1eLLQ9wSTfYYSH
dGQztBqhddBmAXhBXcxKFgs=
pot/UnwB2u3ASrJxrLjxJw==
u0T+cxPYr0QFWNrW
Xd4g6AvWeAiHFNmRm0U=
fqY0SI2eZ8o=
8drNzC++V3AVf2DUYR5ZxjZMexa6qwY=
nbJ3+p1pTrKCkI2W2WKmP/XMaS0=
2hALD5uTJQmW5YIUEQ==
xkOFeq85DZta4TTHqkaTsKRHWhWYuw==
oM7LtPFwVWgDawjY9lo=
I6fZxC063kHYasfIFUSM9XQi
3tSd2b+SQYRPWh4=
iQKA+Xs4IpIluCPfYYSH
WZeQeI4b9FYFWNrW
j4Etp+CtbuCL
wWGZaYoV9XsDjMeSwzZ1tqK0WhWYuw==
EmloL1XbangEJg==
yU6IU27/+OCqK5mc+D5pZzEXvksf
WZKSas6qakwYQB4bZaMfKxQ=
bPxAU5ReCj/E6Bmu2VI=
IOZn4Wky9gf+nyfw+Fo=
il/DFi65d1XWM96z2FA=
RtQFCV/SvsqI5YIUEQ==
n3sLWHwMx6QhefHiBg==
s1fVFTG+gQnLhOzE8nq9EMFmMg==
x6iSiQrLangEJg==
czynGrjNeuqB
96wda7Yz/9qL5YIUEQ==
cMAlpBKfasZ0knE2aKMfKxQ=
+b49sNMNangEJg==
ynKneOyojnL+HxwufAhbGocyQO8nk6RB
hsy9q0Ig6o7J5YIUEQ==
49iq9i7AWSj7EvjE9T/yIQ0=
sYxAhPrIi2QqnRrfYYSH
DAo7NXv96UD+qCnt+0SM9XQi
69TZxSrz4MxfcllPdaMfKxQ=
wIryVHQR+gzPXPIBWoh3DHEKLW0nk6RB
L6TuDuPkKpP+MQ==
S6Vr07qsKn06Pw==
fbiiiwzOangEJg==
CcAzujb9ytZvk5qm7D/yIQ0=
tAsA5EU4mfcCFgo=
0knRgKY39EwFWNrW
strictlynightowl.com
Targets
-
-
Target
tmp
-
Size
451KB
-
MD5
9e1bb80ff1f6f5181ed26c62ef3de29d
-
SHA1
5c37096275b5947dfd68ccacc92eec204fa73883
-
SHA256
a92f8917b2e98217ede5359f7906dd0a60df26e087a1e1c33b81797a334fb448
-
SHA512
f1493090882bbe106508b50a0dcc8ac9966b157837f3d3d428b5b1977bcda3ea00eb067b5f925add5a38e069cfb4e7ce63be49ba8db29b23eb171290226e7004
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-