General
-
Target
DHL Package _00099088.exe
-
Size
508KB
-
Sample
220706-te3beaeegj
-
MD5
45dfc5671eca20fa6dc4ed9fa70ec804
-
SHA1
0f483b3fb308168e3af3ce46fcccbde1265da7a3
-
SHA256
06b80b5b146259aedc1c2f1da5253e2ad1dadae5ba7577a8cc2ce93191f05fa1
-
SHA512
2e325dae6375815657cea18f3cd26f6ef59dd279d3c7251432b86c3dad554c31b9ded2623841d73cae554c54f5541735793131a40ccfd43eeca2b8c155253255
Static task
static1
Behavioral task
behavioral1
Sample
DHL Package _00099088.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.8
q80o
f7mdaO1bGlX5Y2KU0dHQaA==
Mps3KuD8zIc+NieaquJSbJf4U75PQQ==
XDEHE8tpP4Uwl4NwhsevSqgqP5ct/8Q=
CEQUvkPpweaRAuejNpsk
eknJn0MoEfumZie5yfrBvueX
8oIe8Jy9cTTiBJQ2KQ==
6/uwsnRgUVcChTCjNpsk
OlNvP2P/9Q==
PRAK+/9rNmwT
WC+kTLpjVUQcW14=
UBHyqBYIxX0rI8b3U7MwdKvk/tcjH90=
OaE5CqzVdrSXjokQNg==
pHhRDF7Q2kf2YB5bIywkhp0=
Dg+chDsoFRbFaiGnugOCof5zF9Pr
Qs+IMKxNKFFEizXk
gnDbWFzyYCcEgwoT/mA=
e8GaWAb7quKJREE=
vnEZ65pK59F1Fvex9dw2SbUXMg==
JWlLFJP5ceeM6q2lnt1ZlvK1vtQ=
UblHILLigo4hiA==
K71OMORTCsFznw==
DDjk7OfIrHsG
z03No0e3vjHR9860CHc=
aMFJNAEk2YcvKDHOxRQOlqOQ9sLp
dIh46PaKCsFznw==
ltecpJM3OLdq2Ds8Pg==
sdegtKrf7/qTAeejNpsk
EhCXbPZlI1hEizXk
SuFlJMpDStB52Ds8Pg==
oeHaqyaaXptLt6Gt0dHQaA==
QZ1pTseuaRP+zskwOw==
4PmhhQBwLV4IjwoT/mA=
iNtZPQI6GqGIYTGjNpsk
M1sB86WzZDHVfEgKCV3w/1tKDkfh
Ba1cTRlFAoRvTUk=
j1PNoy/b8XQTNvUJQaUfTKi0WXicPQ0K
2/GooFlPS0PusnPFTOCP2Aaf
6E0bGcAzPq9q55xCg//6UI3iAtcjH90=
WNhpOOIDu2wYCc60CHc=
oB3N35WpaCnMyFtp0dHQaA==
lvekiDtpNOWRqLE/JUfTOljE0tHr6WzUoHQ=
/NVGBrhuS4w1yIspSiwkhp0=
c9o/6VyElotONy2/C485hq2kTtcjH90=
FhGjk0bhjNB9wn14dmgpfJ4=
lI0eLCM+X5xFzZnbIoYSW5eQ9sLp
PBjznxU1D4RvTUk=
JmgSGBTHodBo2Ds8Pg==
0eGlRcfh0sNwNyzm+A5el7WQ9sLp
puuZQoVlDIRvTUk=
xlANFQCwiK9Sv8Dn4h2k6Ch2hCOvaj9mnA==
wYFXdDo0SEXpgy+jNpsk
2NfObKuHQQO2srg0he9oSbUXMg==
xTm6euX//P+nNEBYSHv150NbGdw=
0YM2JgEnJCUHaDCjNpsk
klvhdPQhB4RvTUk=
xhn9phq8vSfcRlOR0dHQaA==
srdtEot1IuyEEa0uWuivIECNhyq4q0pOlTaghg==
YC3ByohsWVxEizXk
QIBbCYEjLqlVoZy6CXw4t9IzWhCsaj9mnA==
KsFmZCSfqAvIWFVZpxfYcKIBU75PQQ==
EPtpIshyGwe3gj+jNpsk
BY89K7mhWQzltmkKBFXcCTfoJg==
EEwt3VDCd7hPd1qV0dHQaA==
gOVlSAsjxYApB860CHc=
lifesreach.com
Targets
-
-
Target
DHL Package _00099088.exe
-
Size
508KB
-
MD5
45dfc5671eca20fa6dc4ed9fa70ec804
-
SHA1
0f483b3fb308168e3af3ce46fcccbde1265da7a3
-
SHA256
06b80b5b146259aedc1c2f1da5253e2ad1dadae5ba7577a8cc2ce93191f05fa1
-
SHA512
2e325dae6375815657cea18f3cd26f6ef59dd279d3c7251432b86c3dad554c31b9ded2623841d73cae554c54f5541735793131a40ccfd43eeca2b8c155253255
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-