General
-
Target
Heineken_902738.exe
-
Size
753KB
-
Sample
220705-wtgz5abfeq
-
MD5
7901c752f39af02c460c45bb8c056578
-
SHA1
c4afb3557c24fe5e8eb4f163ff3d2f8d08a76b24
-
SHA256
e37b466a994825e7a44f625de253fc03dedd0d042127b035423f5dd2370d2f77
-
SHA512
61b8f79757a7d6e61e21bc7773c9ae4f2db7fa24175cd5b7d91e3f277bb59d4cff69888ff3c23d801d19cef97b38e7a772c580d8eee832112b8849cfbbdfe85b
Static task
static1
Behavioral task
behavioral1
Sample
Heineken_902738.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.8
nekq
/c9oNOPSc9aX85OuoqU=
OJ273U/T/c7no1jC
oPn68XFXJsCG6JOuoqU=
iAUbpb8k0vTRkUTK
pPasgiv9XQi4ESRJKCjRfGdj
J5jO/Yz6+M7no1jC
XdhiI9HBZsZlyKZ1jPx+JvxZEg==
uKpYHaMJ+OCnb0yGJ5d4Fg==
9/aD58LBdIIAdGJIaaiSTSuqn1/A
Q52txESw1ro3n3NlouzWgmgm06DFAvFR
nv0k5OdLOI8bBbwMrO7Lp059Fw==
NJ3N6nHo3qKAhDZJKCjRfGdj
z0FFAyMlzFonbTkMu79n
IxOiRvLolOiHw2lEcphyDfqqn1/A
Pi0Kkdu8Vr84Fg==
hGmJW4f0Eelq7fRazg3f1qZr
+O+SUb0HHflx55l0J5d4Fg==
raG3zxXI4rgz6Ipsia0=
OZuQHihvYzPayG4Ax70=
EYKIJDSGpYffFZOuoqU=
RiG6fwJkVjf+upSGq+xqGvQ=
yMn8IKcnhfKr3cHW3dKGOst5Kfs=
NJS+fG/HsPma6sbp3FFo
eVFb1AZ3DH4b
61TNckYVfA==
ffMnSNFQfVrHZ2IAtOCqYizuyKnX
70RqO2HkGKkkG8vp3FFo
92V/ICpI9lXQx7AWin7f1qZr
29FtIMG4Zs+F4czG2dqNOMt5Kfs=
PzfOODMoxB3no1jC
jwh3GdLHaeSX7pOuoqU=
baLRnrWxTW8Pz+c=
/FlqMm13mWUh2b2pmsrAajtrFg==
18ltMLMePUwXyKKBoPfLp059Fw==
txKXwLInM18=
+d3yvetQd4U4FAqXMx+7YEVLIL1MtA==
bkVE1kps4Ug=
FoXxgcq7Vr84Fg==
fPX3mcgiSWYsA9Y18CPhx4LIcjsNvA==
9mGfxRFdSy0AxHLRhvZYcct5Kfs=
KYWoUYfq3IfymWDGJ5d4Fg==
L6GuerAcEGjpDPJRyA3f1qZr
xBJS8ejSPw63i3X6oLlcB6TWinDFAvFR
RS/FdzYij6ekBfA=
eeZribK9ZbhQjnumV3M39ONxG5ysZms=
3T1rCx2hxKCGmYjgJ5d4Fg==
gn0m8664WreN2bYHjXvf1qZr
BHIAHzyRs4szCvCADVRrFvuqn1/A
OyPKafPXcI3JGoPp3FFo
vSWNGaywKfRx+ti72An8n3Qy26HFAvFR
oH5ADLfKfYHtdSV67/PGp059Fw==
jwL6h4vyE+/A3LoJjXvf1qZr
Xs9Zc2deDC9V8+k=
T5+bMXJEq4EOpWo4KnA/JRB0Hw==
e+oUSQb+r8NI5c6or+xqGvQ=
wjXF2vHymfKODIJZfKo=
T0A5XQuKf1AE+G/Iaw==
+O2YZgehQqekBfA=
LY8YRnN7UkRTvJrV
xkVcJFDA8c7no1jC
Ze4Rn6IiDDhTvJrV
XU3mjCPwkCTjF5OuoqU=
+tMPp6nFfw/aG5OuoqU=
Y9HTKZMsX7J8o2IlOF/757hy
pakujwalize.xyz
Targets
-
-
Target
Heineken_902738.exe
-
Size
753KB
-
MD5
7901c752f39af02c460c45bb8c056578
-
SHA1
c4afb3557c24fe5e8eb4f163ff3d2f8d08a76b24
-
SHA256
e37b466a994825e7a44f625de253fc03dedd0d042127b035423f5dd2370d2f77
-
SHA512
61b8f79757a7d6e61e21bc7773c9ae4f2db7fa24175cd5b7d91e3f277bb59d4cff69888ff3c23d801d19cef97b38e7a772c580d8eee832112b8849cfbbdfe85b
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-