General
-
Target
r.com
-
Size
176KB
-
Sample
220707-g4dccseddn
-
MD5
a750e7ca3c96e229159290610f050f44
-
SHA1
c826d272c2d37bbed58f565d26e23aedbc8e77bd
-
SHA256
7b943e48f8b28d881955fb753c00bcdf83150950dee3de8be4f60809e51772c0
-
SHA512
c850c6e8fbfbcf48aa6ef415e3dd3754570e3b8af84c59456f6da265680cc7f50bf674a598d9ac00ff91cf9e02644f6d635cd3e4a14faeabdefc89cf7557224e
Behavioral task
behavioral1
Sample
r.exe
Resource
win10-20220414-en
Behavioral task
behavioral2
Sample
r.exe
Resource
macos-20220504-en
Behavioral task
behavioral3
Sample
r.exe
Resource
ubuntu1804-amd64-en-20211208
Malware Config
Extracted
xloader
2.8
m02u
ydiKt35xO4uyQFO0NRJJlna9sfNouA==
GjkDEaamJbEEvq8=
FDr3ENQpG/4mLGX6GJQ=
d5q027I2g9f7FGX6GJQ=
q7BGV+E+rkR4orc=
3HqIhCqKvyGAVqSE
NNQTbYBtzLdbeqoWXWaY1g==
5wOrGx0GnkTm9zSJ3A==
POFlw72pMYIowsY9wojDD+V1sfNouA==
rkCg8evPDStR9AGhzVLf
3OLDCO9RWLFeXJIbXWaY1g==
H0EbZUmmk62btLg=
XfrsK8smEDXDdw==
EIqEbCQVnIgqPIJHgkuJ1A==
r16zzKQ6z5+2SIXjNv2CDOB06w==
LDi4upLfsXeqqt1xnu77UiPK
gRxETepbVnFagqE=
6xCyu4F3M5xLJbZI1A==
iYBBZDGayR9Fnes6ww==
eCVOagMOybk=
G6b6Ny4dPFp6BBCM
O2RRrb4lClgDKGX6GJQ=
yXX35pqJ0aG7JbZI1A==
lChCN+JaoP0lMUojNpsmJ4F91nnc
z1hmahZ9tQo3C1gptps=
VXAEYV1JyR+xJbZI1A==
C56noDu7wqTP/0N5kkDI
i6JBYVSyCWrIl9Kd
ErUTcnh69cf0lKZ5kkDI
Rk4yh4340Z6QrRkKww==
75LmNkc9ouycSGP4RuNKTWyxzvI=
ZfhmUv7rMv4ps/wNGrEpNILC
3G6w06iC3am8JbZI1A==
yu5/19rFnfMjtcJNh/xpbr7QsfNouA==
Ea5AR+PTN3UlpNu26Wid3rPSsfNouA==
mMNr3djMQxdH6fqDxUaJypfHsfNouA==
qUKNnzW1tkOz1yh80YCq9ctb4A==
VFzw+157InwmA0w4v5w=
fQYZGbs5J/vgS5KH
T9ETQArrjeiJKX6Ro1bR
Kjz4OUu7ma2btLg=
xezH/udNSDBcctYnVwv4SKs=
Lr2wBRVwpegaKWX6GJQ=
kzOX7vvjh62btLg=
QGhrhEi76j7shtWyArX7UiPK
BIvrNCcN3UfeDmX6GJQ=
2mpuefwmp3alKU2hzVLf
9af5eeDfRRRC4kwdZBdYmU5WN2VDA0Q2Ww==
GRKhq1lB/F31HmX6GJQ=
2mTJuGtgK4KnOoIaXWaY1g==
iSZOlKCSC1KTrOsNGrEpNILC
7vXHE/NHLQoyXKOEyD+AgY3C6g==
1nypyI7+KB746d6T
tS5helE5t5CAVqSE
u93uXGf0zibM
gw0VIeXUZTlY5/SK7ZshLIB91nnc
kKp0nGTG2bzvBwsCegpXpndv5u5pug==
v+Z30NvLmf+ww/pIXWaY1g==
Ue6AiSf/uB5R9H6ztPf7UiPK
2Y9HbjCKXYitvuoNGrEpNILC
MUf1ENQ6W6zmdHTD0jt6gY3C6g==
Xub0CtZID94NKGX6GJQ=
HxrE6801NoQxLGTJDJ8eqEgimOU=
wGTsAJg5OYnAJbZI1A==
live24-news.xyz
Targets
-
-
Target
r.com
-
Size
176KB
-
MD5
a750e7ca3c96e229159290610f050f44
-
SHA1
c826d272c2d37bbed58f565d26e23aedbc8e77bd
-
SHA256
7b943e48f8b28d881955fb753c00bcdf83150950dee3de8be4f60809e51772c0
-
SHA512
c850c6e8fbfbcf48aa6ef415e3dd3754570e3b8af84c59456f6da265680cc7f50bf674a598d9ac00ff91cf9e02644f6d635cd3e4a14faeabdefc89cf7557224e
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-