General
-
Target
Scan SOA.exe
-
Size
500KB
-
Sample
220706-y4n8asggbm
-
MD5
e69167de6d19a41819f25de01cd10aef
-
SHA1
c302c06e1cb00e72013b0671ba0db1a541673289
-
SHA256
4863509ff407e4a6389305b5555bc804aa5df9b67290feeb1e36bf68f40696e1
-
SHA512
73ec2711e5c3076fee07a03db0289887946a66d3f6656ece5a12db6ad672424368a6e9b5feb339b97a8cec63bf3869b8062f90335fb58e99a9894ef0afa742e1
Static task
static1
Behavioral task
behavioral1
Sample
Scan SOA.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.8
nmd2
FNWENUOMqqSv0Q==
ls6DEbQ1KBCeSsvUyRg=
mwgrjwpFplaykGoT
Uzzj8yXi13iLMnNGZcnViQliwA==
T7vzj0l0lqquyA==
csHzBjwvF7rmjcmWxjThd61NuuVl4gQ=
YaXyTwg3p1vrf/n9kYJQjrc=
cHAfFEI1JKDF4mTsGjDbeg==
TdDv+o9VSFep3wgTtY0swqQ=
Jw66vdyXdRZG9jJZycLD
icGvsuKZgXNid1M=
6m6H0GvguY+vZZpcioudbQ==
kNUBYMuymhgm2b0q3bEAiQliwA==
M3SiAXRbVe0XAsxDOIp6cg==
+eWLk+HjRRe3LuyavQ==
753R3QYD8XOWtWI0ouGpYw==
dRg+bQZ6TSbC8Sbs2mXXxLM=
kDlUsE+U7Y/RfUQ=
oENlcFZVqqSv0Q==
HCC+nbachxEs1f29GjDbeg==
ctsJlTxo3LFbK0RZycLD
VAV965YJquX+b2gE
wUpcvG0A0kxkhA6dsxec/Ufb
+Kzh3Pz/WTFKLuyavQ==
5IBvVoiTqqSv0Q==
qhS7ELozBsxWGdGNLWXXxLM=
sIdm8Gid7Y/RfUQ=
o9jFl8KnrZEe2UrO2mXXxLM=
eecJaOIceBS8YCLfz2XXxLM=
wvauO+RYyniHRncupG0Ten2V2PDf
meDvRhWM7I/RfUQ=
LlL2kO+2mQQBt6Mbi3M85yXR
/5hqNCjixE1T+DRZycLD
mghXL0b5y1BTAeKFZgcVnbs=
vpRLqCgVpBo+
MhWVgapZL/AkxgTV9WAniQliwA==
G1w14UrRoHGpQ2UVK4BOy+cryA==
Xfjtvd7Rx2B9KWsoP7tp2dGrHmR49g==
YV3YuM5Fbwwp
6l5Yu2CUBLdfCsCe1E47UUFRqOVl4gQ=
zvsbe+zuUwGeQ8vUyRg=
1cI0GBeUfY/RfUQ=
nWgfnkDEUGOJLuyavQ==
0bosGEv++89jmJdZycLD
k55xymOPqqSv0Q==
9Vo/hSEVpBo+
Goh71Ec2I5igPHhLh/mfMmK1d4RK4BA=
ejin8nSfnQonPPibLWXXxLM=
yQUskS2vGpw=
YCbKnMOAcS5Y+zBZycLD
UsS4CoF4lqquyA==
FpSWpcVFbwwp
vFSrpMeaqqSv0Q==
tFR01kVKp0L6IRiD9c7Of5Gus1L3/g==
yr44IihjQHNid1M=
2VRJm0F25df4EZY9bdXViQliwA==
jm/jvLpEJfmbUfbOAH5IaYmZTuVl4gQ=
iYId/jAYAao9W1Oz20NHfcakEBY=
tiUNWfcurI6YSYQ5U7m4ysDQLVBMgdA6iw==
ZeixX31Fbwwp
7FBmslXBOQwbzrIwoXNBiQliwA==
VVr3w7qAY8/hAH5hZsDU
vDlm1IsR5KjVf276e18NPWGBTOVl4gQ=
IxGhEq722C9Yfbn6GjDbeg==
gelasbeauty.com
Targets
-
-
Target
Scan SOA.exe
-
Size
500KB
-
MD5
e69167de6d19a41819f25de01cd10aef
-
SHA1
c302c06e1cb00e72013b0671ba0db1a541673289
-
SHA256
4863509ff407e4a6389305b5555bc804aa5df9b67290feeb1e36bf68f40696e1
-
SHA512
73ec2711e5c3076fee07a03db0289887946a66d3f6656ece5a12db6ad672424368a6e9b5feb339b97a8cec63bf3869b8062f90335fb58e99a9894ef0afa742e1
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-