General
-
Target
Shipping-Docs.exe
-
Size
501KB
-
Sample
220707-f1krlafgc8
-
MD5
c865088690870930ec48ae54209e37a3
-
SHA1
b6bfc53eb8577cfafe3ef5670faf56e6b2f10a3c
-
SHA256
14a0af77c8fab65395925348cb39c058dd0e619e33055f6a3f895c295aaa6783
-
SHA512
d233fb9735eca4d18dc4a2642d2fcbeb386a5d5ffd480aa6e09a7b29567417b1ecf588dc004975c97b08dd3cd05dc7c48105b87804a8e37c8a1af649b95f653f
Static task
static1
Behavioral task
behavioral1
Sample
Shipping-Docs.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.9
gfv7
hd4AZDZ3XeSkZ9w0NRn2+JU=
6iAxmGKdumxFEgwp
jM6QcxNUSeCKaUdvvh3g9mffhosQ
d4CC0LS0DjTJS8FdXqd3soM=
S1LPlXEIJY52Og==
doeO7AimsF0NEvFgnIV5
W2TlzH/byHtUU3B7tw==
Y2RAbyZjex2qj6GQv4Q=
ftoOsCpZdfmALQ==
4kqL8v/6rDj8Ohs/wAjkb0gD5Gfiww==
8mVs/AkvwLnIWp4=
yfqAazgHioT8b9yHSKpLDtgY
EyWD5F+Wu3L0xq/VJXgdlnFvBDdUz5WM
jn9ty+pdRNdtcDhJ5k8nwZofm4EJ
s9XVNv4/aRDBUx4w
+vHFE7Fw1rnIWp4=
wC395Yvi6G/3yoWRGW1USxzshi3Dyw==
jcbufIN91gHAUK1RYUMYIdyqpDlUz5WM
iIyoIvZNXwPNmBlBxGk6+A==
C/hTD8h/KWLiMW4Mt/joXyz23Q==
V5ApC8yE9ga07OV4Q61LDtgY
xtLNTFFs/RCJA4orMGL9ApU=
/AKLeE8idfmALQ==
WJL8UAHhVg7FSqAxOWL9ApU=
9iK1jWPdwWJFEgwp
Rz0Nb3NpyLnIWp4=
th3awtVSNNiFPLlnLxPmXyz23Q==
PLAGb2JN/0tFEgwp
DwBJL0vXwz6VU3B7tw==
bOAIYklXEJsP7BUDjxTubP8Q
AzA1r1ApwbnIWp4=
GY7VFP8Z42Eu0zrPgv7M27H2j0s=
M1Xf2X3iJY52Og==
TniK5ZHG5YsoO/UBSCIK04Osyg==
bNielgswlcIx
BT5/syRLwuaFFoo=
zwZKrUOtnTLZkPUBUkIUo7nAxA==
S3TY7rP8Gao+W6GQv4Q=
8vR8aFToJinc8vkLXbaY8pHOkINUz5WM
fn99yILT1WJFEgwp
4CI0fVVcxeyXIYwwPVLo9Iw=
hq6/DbfACpAm
ZJBMLtsgRN6izYKOI6xLDtgY
0w51/t24cgbsNUTkoS3BBZM=
KigtlHKAVuSnOpkzO1Lo9Iw=
QJKEvBztdfmALQ==
JCr9WGswGbg7
cbnlTTM1lc+s9s/6j/3mXyz23Q==
nC9880u66IpFEgwp
8l0tFQeq3HFHilpg32RN0GRVOaxXKO8YOA==
aV4laF9ZdfmALQ==
p8+JhjIKxEMWa1707GVKBdbbhi3Dyw==
lsDLGs6vauq8ERrIkwrU1m76mhgPoVk=
VmL44pRG8A56zSK0xGk6+A==
0MtFU1jACpAm
ASApso7Btzm4sbLiY79LDtgY
ULrfRv1BUwzoty9HxGk6+A==
qasiAbIOJY52Og==
UZN9Xx2miW9FEgwp
zDMIAhSLts63jRpCxGk6+A==
f3gLFxpk+DG+U3B7tw==
qzWSblb1ernIWp4=
+CZPmjzmSGIHjN6BSapLDtgY
jsw3l0sshQ0MzjNRqA==
littlemountainnomad.com
Targets
-
-
Target
Shipping-Docs.exe
-
Size
501KB
-
MD5
c865088690870930ec48ae54209e37a3
-
SHA1
b6bfc53eb8577cfafe3ef5670faf56e6b2f10a3c
-
SHA256
14a0af77c8fab65395925348cb39c058dd0e619e33055f6a3f895c295aaa6783
-
SHA512
d233fb9735eca4d18dc4a2642d2fcbeb386a5d5ffd480aa6e09a7b29567417b1ecf588dc004975c97b08dd3cd05dc7c48105b87804a8e37c8a1af649b95f653f
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-