General
-
Target
tmp
-
Size
270KB
-
Sample
220705-pgzk3shafm
-
MD5
40292541a586f5c7e2af4f0b5efde77c
-
SHA1
4fc8c817e38575a5427fdd2741abf20fc9fb3365
-
SHA256
0dbc37565a20d8e5d40c4c554a194719291bc91ab86db587337b580106f41cb8
-
SHA512
ceb7888d6a1a94f898f9fb3e44db01574256e59e7690238384fcc853b55553089d2fbf221b179b5cf4baaa54bc6f58ad3db3b36dc747170d10209f4fa4339091
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.6
uajq
pixeldoughnut.com
amadeushosting.com
sitecindustrial.com
orsaigroup.com
jmuse-dev.com
angelobreviario.com
storesafe.xyz
40veryoung.com
65228267.com
xmpanshi.com
luxorscbd.com
saoirsia.com
akwadcom.com
spreast.com
net-empresa12pcs.com
avlaoge1.com
projectmuellerllc.com
hvelv.com
a2bproject.com
myhome-huahin.com
beautzenvibes.com
tzssdaayaqa.top
corporatexxx.com
sc-server-meshing.info
breadandsaltmarket.com
dac-nh.com
middleeastsecuritywatch.com
fox-influ.com
mndhestro.biz
voipverse.xyz
enrollee-healthbenconstest.com
peteinson.com
genevapunkska.com
tjysdxx.com
7t4zllco.com
healthypostureclub.fitness
npto3jzh.com
hd0b3oke2q90gz.xyz
thepeachcommission.com
duniabidan.com
ffmembership-garera.com
landllumber.site
bangimpromptu.com
visionboysnft.com
smonique.com
woomart.store
bathholidayhome.com
oci.fyi
lfla.agency
buymms1.com
uurdrzk.xyz
taliamagee.com
melishe.com
worthmoth.com
hotelnamastenepal.com
talmagart.com
ruomot.com
bitcoinodyssey.com
ezzahfatima.com
massthetics.net
yearningearningwithyoussef.com
winhcatraining.com
baunfn.online
estress.online
researchwhiz.com
Targets
-
-
Target
tmp
-
Size
270KB
-
MD5
40292541a586f5c7e2af4f0b5efde77c
-
SHA1
4fc8c817e38575a5427fdd2741abf20fc9fb3365
-
SHA256
0dbc37565a20d8e5d40c4c554a194719291bc91ab86db587337b580106f41cb8
-
SHA512
ceb7888d6a1a94f898f9fb3e44db01574256e59e7690238384fcc853b55553089d2fbf221b179b5cf4baaa54bc6f58ad3db3b36dc747170d10209f4fa4339091
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Blocklisted process makes network request
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-