General
-
Target
tmp
-
Size
283KB
-
Sample
220624-gj1l6adac7
-
MD5
3003d7f5f37555dda6aaedc46ebffb6e
-
SHA1
2fc3bfb42f58a9c1c6c9383015347b9c8935d14f
-
SHA256
2fad61e5630cde696d8ea57db27d521ed4ff87ae0c5e692c597171439ae6d01c
-
SHA512
c9df0576f1f92639c69c79cd230ce80a4b8606791e0be99660fb119e207ff894b6c10f31fbba70699dc7e296c8e061130e5eb765e2eef521e602a8918f32e050
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.6
tn61
ryliehorrall.art
mesdco.net
street-art-ink.com
sepetcin.com
stilghar.com
hawaiipooltiles.com
fuerst-von-falkennest.com
totalvirtue.com
xdk0blc0tqy6a7.life
zootowngravel.com
kreditkarten-optionde.com
6888tlbb.xyz
albertakleekai.com
travelnurseinfofinder3.life
valleyinnswat.com
secure-remove-devices.com
digitalswamy.com
www112casinova.com
medifasttrd.com
distritoxermar.com
ebwagner.com
biworker.com
0571kt.net
mjuelaw.com
buildlimitlesswealth.com
wbclips.com
session.care
museatthemill.com
pjhxsl.com
momentums6.com
electricbike.energy
accommodations.network
libroskolibris.com
sejintech.net
parkchestergardens.info
gndgame.info
arcwarp.com
aboveallonline.com
dinotacker.com
ufc188livestreamfree.com
saulomar.com
atmworldexpo.com
chooox.com
admissium.com
dacdem.com
oneruk-chandeliercleaning.com
oyster-iot.cloud
mutinybrewworks.com
yaoih.com
dmitchellpropertiesllc.com
nuoicaymosaigon.com
peacockgotv.com
nextr.xyz
bidvastil.com
shahanhan.com
goodlordy.net
banlyeojob.com
tasteatlus.com
ecotone-os.xyz
urbanartco.com
drecibo.com
davegwatkin.com
pharmiva.net
accordingtopreston.com
blizzardboy.net
Targets
-
-
Target
tmp
-
Size
283KB
-
MD5
3003d7f5f37555dda6aaedc46ebffb6e
-
SHA1
2fc3bfb42f58a9c1c6c9383015347b9c8935d14f
-
SHA256
2fad61e5630cde696d8ea57db27d521ed4ff87ae0c5e692c597171439ae6d01c
-
SHA512
c9df0576f1f92639c69c79cd230ce80a4b8606791e0be99660fb119e207ff894b6c10f31fbba70699dc7e296c8e061130e5eb765e2eef521e602a8918f32e050
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-