General
-
Target
orden grande pdf.exe.xz
-
Size
100KB
-
Sample
220627-k38nnaaaep
-
MD5
82bab8ebf2949ac930f84e71b1ff66fb
-
SHA1
ff5ddc3759591dccb2b3ec5bd37f67d0d9ec57ce
-
SHA256
7e05beb1f3567f6c96823777d029ceb27c43e7f275304e57b28f6c42bbbc099c
-
SHA512
5dee480e9380eac5ec94270809c348636b09b2f1f737f148df0003b09d45abcb4548a842e2c9376196cfd7400612a6bb562639d6af6887d7efbbd5468f2c4fc4
Static task
static1
Behavioral task
behavioral1
Sample
orden grande pdf.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.6
gqvv
keyclash.com
canadianinspiration.com
testmanagement.xyz
doxpunk.xyz
kodacult.com
snatchbra.net
313370955.com
sarochin.com
norozoto.xyz
nbpanthers.com
colombiaartesanias.com
m57hwtiuu7h.com
tsaerac.com
alugiare.com
elizeusomautomotivo.com
fgijjisdifsd.xyz
isecurewebsites.com
incomeviaonline.com
caribbeanbrunch.com
alveus-solarboote.com
huntercontrols.site
programma-2022rub-aprel.online
trendiddas.com
despinaandcorealty.com
buylifollowersreviews.com
hospitaldealblog.com
profitbuildingacademy.com
novagamesofficial.com
sanavspices.com
shoetain.com
hi-123.net
northcountrychamber.online
9827x.xyz
257tottenham.com
victoriasbnb.com
maps365.net
busstok.com
arizonacity.xyz
substantiall.net
jiehao.xyz
xinchengbohai.top
temzies.com
questionlifesfilms.rest
mujulingjian.com
othersidebroker.com
fgwzns.xyz
thirsty-monkey.com
axiomnexus.cloud
tamagorchi.guru
kldo.media
nionpay.com
lockhomes.com
sentiospa.com
airlikelab.com
mft029.com
jmaaffiliations.com
primary.quest
k8n7zg.club
sniwlktyvwhn.club
schoenesachen.net
kowkao.com
go2learning.com
secrty.store
curiobeauty.com
theguestacademy.com
Extracted
formbook
4.1
n7ak
modischoolcbse.com
theneverwinter.com
rszkjx-vps-hosting.website
fnihil.com
1pbet.com
nnowzscorrez.com
uaotgvjl.icu
starmapsqatar.com
ekisilani.com
extradeepsheets.com
jam-nins.com
buranly.com
orixentertainment.com
rawtech.energy
myol.guru
utex.club
jiapie.com
wowig.store
wweidlyyl.com
systaskautomation.com
citromudas3a.com
plasticstone.icu
pawchamamapet.com
beautybybby.com
mor-n-mor.com
getoffyourhighhorses.com
chieucaochoban9.xyz
grahamevansmp.com
amplaassessoria.net
nutricookindia.com
wazymbex.icu
joansironing.com
hallforless.com
mycourseprofits.com
precps.com
cookislandstourismpodcast.com
bestonlinedealslive.com
bug.chat
ptjbtoqonjtrwpvkfgmjvwp.com
tortniespodzianka.store
qxkbjgj.icu
aurashape.com
guinealive.com
mondialeresources.com
offthebreak.site
maxamproductivity.com
thebiztip.com
thelocalrea.com
laeducacionadistancia.com
inpakgroup.com
lvgang360.com
allvegangoods.com
tymudanzaramos.com
simpleframeswork.com
thehappycars.com
directfenetres.net
norskatferdsterapi.com
hostingcnx.com
ksmh5x.com
thespiritworldinvitational.com
jetsetwilly3.com
gameflexdev.com
tryhuge.com
vaporvspaper.com
kmresults.com
Targets
-
-
Target
orden grande pdf.exe
-
Size
241KB
-
MD5
149d29a68788c9cd599cba389698ed47
-
SHA1
cad8135bbbee484b91b87df367631b9043c2f403
-
SHA256
b92800b4c8d2200d261f52287439016dc29ba57a73d428015ab05ee98a19c159
-
SHA512
6026a7692a4a745518f2c8404a1c4b4c08e8c66f2d6fe0c9385c73d8a125bb26bba8496b4f9a492d3c8bc73140ba2173d3583435318245fe5ea0004e51a916c7
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
ModiLoader Second Stage
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-