General
-
Target
shipping docs.exe
-
Size
722KB
-
Sample
220628-ssksvacah6
-
MD5
ec529b525e7897c81b9fd1e2291cf885
-
SHA1
867d80609c6fe0cafe8326c5572c243e24da1f42
-
SHA256
1752302de3862bd15be2d539255fed5e71a4180cd987b206542ef8d5f5c6af13
-
SHA512
6080162b81e69209f6866c7e3e5abfb52a719c0ef55f523e637af26646daf91c01f6e150790e8a12f87db5a76a39aed7fa92510c2149c7f4ca6e88e0bd11003c
Static task
static1
Behavioral task
behavioral1
Sample
shipping docs.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.9
gfv7
hd4AZDZ3XeSkZ9w0NRn2+JU=
6iAxmGKdumxFEgwp
jM6QcxNUSeCKaUdvvh3g9mffhosQ
d4CC0LS0DjTJS8FdXqd3soM=
S1LPlXEIJY52Og==
doeO7AimsF0NEvFgnIV5
W2TlzH/byHtUU3B7tw==
Y2RAbyZjex2qj6GQv4Q=
ftoOsCpZdfmALQ==
4kqL8v/6rDj8Ohs/wAjkb0gD5Gfiww==
8mVs/AkvwLnIWp4=
yfqAazgHioT8b9yHSKpLDtgY
EyWD5F+Wu3L0xq/VJXgdlnFvBDdUz5WM
jn9ty+pdRNdtcDhJ5k8nwZofm4EJ
s9XVNv4/aRDBUx4w
+vHFE7Fw1rnIWp4=
wC395Yvi6G/3yoWRGW1USxzshi3Dyw==
jcbufIN91gHAUK1RYUMYIdyqpDlUz5WM
iIyoIvZNXwPNmBlBxGk6+A==
C/hTD8h/KWLiMW4Mt/joXyz23Q==
V5ApC8yE9ga07OV4Q61LDtgY
xtLNTFFs/RCJA4orMGL9ApU=
/AKLeE8idfmALQ==
WJL8UAHhVg7FSqAxOWL9ApU=
9iK1jWPdwWJFEgwp
Rz0Nb3NpyLnIWp4=
th3awtVSNNiFPLlnLxPmXyz23Q==
PLAGb2JN/0tFEgwp
DwBJL0vXwz6VU3B7tw==
bOAIYklXEJsP7BUDjxTubP8Q
AzA1r1ApwbnIWp4=
GY7VFP8Z42Eu0zrPgv7M27H2j0s=
M1Xf2X3iJY52Og==
TniK5ZHG5YsoO/UBSCIK04Osyg==
bNielgswlcIx
BT5/syRLwuaFFoo=
zwZKrUOtnTLZkPUBUkIUo7nAxA==
S3TY7rP8Gao+W6GQv4Q=
8vR8aFToJinc8vkLXbaY8pHOkINUz5WM
fn99yILT1WJFEgwp
4CI0fVVcxeyXIYwwPVLo9Iw=
hq6/DbfACpAm
ZJBMLtsgRN6izYKOI6xLDtgY
0w51/t24cgbsNUTkoS3BBZM=
KigtlHKAVuSnOpkzO1Lo9Iw=
QJKEvBztdfmALQ==
JCr9WGswGbg7
cbnlTTM1lc+s9s/6j/3mXyz23Q==
nC9880u66IpFEgwp
8l0tFQeq3HFHilpg32RN0GRVOaxXKO8YOA==
aV4laF9ZdfmALQ==
p8+JhjIKxEMWa1707GVKBdbbhi3Dyw==
lsDLGs6vauq8ERrIkwrU1m76mhgPoVk=
VmL44pRG8A56zSK0xGk6+A==
0MtFU1jACpAm
ASApso7Btzm4sbLiY79LDtgY
ULrfRv1BUwzoty9HxGk6+A==
qasiAbIOJY52Og==
UZN9Xx2miW9FEgwp
zDMIAhSLts63jRpCxGk6+A==
f3gLFxpk+DG+U3B7tw==
qzWSblb1ernIWp4=
+CZPmjzmSGIHjN6BSapLDtgY
jsw3l0sshQ0MzjNRqA==
littlemountainnomad.com
Targets
-
-
Target
shipping docs.exe
-
Size
722KB
-
MD5
ec529b525e7897c81b9fd1e2291cf885
-
SHA1
867d80609c6fe0cafe8326c5572c243e24da1f42
-
SHA256
1752302de3862bd15be2d539255fed5e71a4180cd987b206542ef8d5f5c6af13
-
SHA512
6080162b81e69209f6866c7e3e5abfb52a719c0ef55f523e637af26646daf91c01f6e150790e8a12f87db5a76a39aed7fa92510c2149c7f4ca6e88e0bd11003c
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-