General
-
Target
SecuriteInfo.com.Trojan.Win32.Fareit.9a2b145f.1321.13942
-
Size
684KB
-
Sample
220622-tdw31acda3
-
MD5
fc54c57b9b4181c30db0748d08cf5450
-
SHA1
6f2d9b31ff707bdae54cb6b43678e1a4ccfae2d9
-
SHA256
405fde3cb4a7bce2ea1037d3ad8d241459607340c1a4748599736fd3acdd26b9
-
SHA512
b75e0cec6f21b9b7c21927b30ada739a7eff793cb7bc2b411d31d4101714391a14df929d90bb2483dc4157677280d4e455097e73f3ad507038ffa2f9f43ab37d
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Win32.Fareit.9a2b145f.1321.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.6
gqvv
keyclash.com
canadianinspiration.com
testmanagement.xyz
doxpunk.xyz
kodacult.com
snatchbra.net
313370955.com
sarochin.com
norozoto.xyz
nbpanthers.com
colombiaartesanias.com
m57hwtiuu7h.com
tsaerac.com
alugiare.com
elizeusomautomotivo.com
fgijjisdifsd.xyz
isecurewebsites.com
incomeviaonline.com
caribbeanbrunch.com
alveus-solarboote.com
huntercontrols.site
programma-2022rub-aprel.online
trendiddas.com
despinaandcorealty.com
buylifollowersreviews.com
hospitaldealblog.com
profitbuildingacademy.com
novagamesofficial.com
sanavspices.com
shoetain.com
hi-123.net
northcountrychamber.online
9827x.xyz
257tottenham.com
victoriasbnb.com
maps365.net
busstok.com
arizonacity.xyz
substantiall.net
jiehao.xyz
xinchengbohai.top
temzies.com
questionlifesfilms.rest
mujulingjian.com
othersidebroker.com
fgwzns.xyz
thirsty-monkey.com
axiomnexus.cloud
tamagorchi.guru
kldo.media
nionpay.com
lockhomes.com
sentiospa.com
airlikelab.com
mft029.com
jmaaffiliations.com
primary.quest
k8n7zg.club
sniwlktyvwhn.club
schoenesachen.net
kowkao.com
go2learning.com
secrty.store
curiobeauty.com
theguestacademy.com
Extracted
formbook
4.1
n7ak
modischoolcbse.com
theneverwinter.com
rszkjx-vps-hosting.website
fnihil.com
1pbet.com
nnowzscorrez.com
uaotgvjl.icu
starmapsqatar.com
ekisilani.com
extradeepsheets.com
jam-nins.com
buranly.com
orixentertainment.com
rawtech.energy
myol.guru
utex.club
jiapie.com
wowig.store
wweidlyyl.com
systaskautomation.com
citromudas3a.com
plasticstone.icu
pawchamamapet.com
beautybybby.com
mor-n-mor.com
getoffyourhighhorses.com
chieucaochoban9.xyz
grahamevansmp.com
amplaassessoria.net
nutricookindia.com
wazymbex.icu
joansironing.com
hallforless.com
mycourseprofits.com
precps.com
cookislandstourismpodcast.com
bestonlinedealslive.com
bug.chat
ptjbtoqonjtrwpvkfgmjvwp.com
tortniespodzianka.store
qxkbjgj.icu
aurashape.com
guinealive.com
mondialeresources.com
offthebreak.site
maxamproductivity.com
thebiztip.com
thelocalrea.com
laeducacionadistancia.com
inpakgroup.com
lvgang360.com
allvegangoods.com
tymudanzaramos.com
simpleframeswork.com
thehappycars.com
directfenetres.net
norskatferdsterapi.com
hostingcnx.com
ksmh5x.com
thespiritworldinvitational.com
jetsetwilly3.com
gameflexdev.com
tryhuge.com
vaporvspaper.com
kmresults.com
Targets
-
-
Target
SecuriteInfo.com.Trojan.Win32.Fareit.9a2b145f.1321.13942
-
Size
684KB
-
MD5
fc54c57b9b4181c30db0748d08cf5450
-
SHA1
6f2d9b31ff707bdae54cb6b43678e1a4ccfae2d9
-
SHA256
405fde3cb4a7bce2ea1037d3ad8d241459607340c1a4748599736fd3acdd26b9
-
SHA512
b75e0cec6f21b9b7c21927b30ada739a7eff793cb7bc2b411d31d4101714391a14df929d90bb2483dc4157677280d4e455097e73f3ad507038ffa2f9f43ab37d
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
ModiLoader Second Stage
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-