General
-
Target
Order_SC00167861.js
-
Size
355KB
-
Sample
220628-l3x3laadh8
-
MD5
59a6fbc96766f321e57bc303176e6668
-
SHA1
e716a824708d6c441015b8f121c609904922d8ba
-
SHA256
27e9285ffcecae79f52314558cdaffcfbbbdbcc10e220425daedb5b4663bde11
-
SHA512
edfdb1cebea4f21027e3988e43a41312e38ca4375cd28d018c4cc6e0b1bd38f440c5074703a504899e1603b2096f552da4b98a3483ba7a0ef9e8d4f58d001b5e
Static task
static1
Behavioral task
behavioral1
Sample
Order_SC00167861.js
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.8
r4wf
eQLhwti8E4CX1m8bp0WK2Q==
axoAyf6nwR9Y43o1nFx+930=
vf9fMlHrgdcI
TRQU8PPgFWegAcLFsjQ5TUX2
CFXUiz7SjsLqcQ==
XKeIL6Nmg+8pokY+wjaooasXRQIt
NLSkgIdanO/4SNPAdlKUrIms7Q==
TTKhgqyuCnCmH7yGa12g8HXrnY/nKGI=
5X0d70pNfaYGRgI=
fXXOk9C1+U9bhkIBIqn8
dN7HmMiv/TtAgyP2tYrEG2Yq4Yw=
HRqUgbJeorn4Zg==
MZ7Sh6xm71vhCNLW
7iFsO188fKYGRgI=
o9VC9kgPVXmCz2gBIqn8
B0y+iMbD+lzhCNLW
ciUeBS0WbdHuVGH+xJU=
Q3334PeyxydNmzoBIqn8
kgHx3RbrgdcI
WQjgo8h9g6YGRgI=
5RSWW31YnAQ0ly3EKxV49Ju7soyJQA==
jnvHrOp+rylh3aQZihBxX5AXRQIt
UvzhyOTBC1WuFalOvTeQFGYq4Yw=
JZKCTnBTlejw6sWEQmBrwWQ=
PsvChalcbbW9/sl9iUyM/Y4MyIY=
twF0UY9YdMf/SOXm7kJHrIms7Q==
U8aniaNnU7TGF6KgX7kkEAfBuXDcuj58
d6kL7Q/Dsv8Qai4y5Dx+bHXrmY/nKGI=
Oy7kr7SLuiFlumMrnFx+930=
YKA43EILPp68Ls2R9Lu9Xg915Q==
OsbEm83iRasRDcDP
N7SzS9W0uRU3jEw+7ZvgQsW07A==
f3LUyOCo6jdfwW4AY1CXrIms7Q==
UVexkL12kKr2QwPEJZ0=
F5PLbMl0rduR24TB
yZuGQ1U5f6YGRgI=
HEOfhKiQJVuUF6ox6uNR0Q==
Y0y0eYw9Q5bD79Ruvg==
aILeq6iNyQqR24TB
dHbUZQWZqMpavHb50CBVrWo=
lEsUpuTUL4KuEa6EVT+F1B7Jgx0z
LDSDX4NENrXnVxAP2rblGjXr
blvKotCPoer5Rvy6VxBcwA==
KMS/ofYGorn4Zg==
EZW+YNdYd+M=
Bop1VFUuccfWIKWmp0WK2Q==
iQDv0R3h0/YxkBU=
NjOefp48RqfbFrOKbecxadZp8ZE=
kTsuEDj5OizhCNLW
w/RTHy0Lc7fSD97wsgCGrIms7Q==
8x18XKJyZ8T1aGH+xJU=
vmxeL0noCmyZBdKGyiE5TUX2
eF22k9DMDF2P/7CBQlx+930=
wO1QPF42ctH+cRIR1is5TUX2
HbqukMjFFHHhCNLW
D0qyl8BhFPRQybNMMafz
rPZqR1Xy/l2Z9H10TVx+930=
bJwP3QPxOZOO0no3oBxixV7nmo/nKGI=
mwL41gvf3SJgzbVlwoI=
dCYI1OqmwRErjloyoInfIWYq4Yw=
Sks251UsiN4K
6qGScqVeRZ7IIuHhx1R7o8aZiyMl
EDaaWIxK/t+R24TB
NSyQY6+MoLlHKmH+xJU=
heatedaffaisr.com
Targets
-
-
Target
Order_SC00167861.js
-
Size
355KB
-
MD5
59a6fbc96766f321e57bc303176e6668
-
SHA1
e716a824708d6c441015b8f121c609904922d8ba
-
SHA256
27e9285ffcecae79f52314558cdaffcfbbbdbcc10e220425daedb5b4663bde11
-
SHA512
edfdb1cebea4f21027e3988e43a41312e38ca4375cd28d018c4cc6e0b1bd38f440c5074703a504899e1603b2096f552da4b98a3483ba7a0ef9e8d4f58d001b5e
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-