General
-
Target
ORS51082.exe
-
Size
996KB
-
Sample
220707-g687tagfh8
-
MD5
fdce62a590ef3d5c302a7cabc29278fb
-
SHA1
155fedc5ca4878abfd7bbf94445b88f96452745d
-
SHA256
6e7274032f1229b80a0b4d9e4bfef54d27414f287161dd3e1f80a476cbc85c52
-
SHA512
21d37bf4bcafc81b941240d75ab7eb2727bdd6ffaecbeccf9f2173b09f9ce1119dcdac24d6aff7fb5ad2dd209b826bb57719286cc96cc38ce680cdff103182ef
Static task
static1
Behavioral task
behavioral1
Sample
ORS51082.exe
Resource
win7-20220414-en
Malware Config
Extracted
xloader
2.5
ges0
activelogistics.group
fashionbeautyinternational.com
firstbymel.com
anta-media.com
mysmartoffice.online
a17l.com
hyunmijoa.com
gdqsgyl.com
athafood.com
guwerix.xyz
yodjae.com
wineglassfuls.info
sattair.com
kamstage.com
nurseandcaregiverjobsesp.com
vemtiq.com
kul-history.com
trycbd-gummies.net
fewland.club
breeztrade.com
kremboo.space
trump2024campaigncommittee.com
www6789winvi.com
vegaitpro.com
franklinvisioncenter.com
drshrikantbadweurology.com
cryptosupermine.com
hoteltheimperial9.online
testestest.company
bhhtait.com
license-plate-find.online
dayinriyadh.com
misbantarkalong.xyz
best10canadianreviews.info
eyhpydiss.quest
maxiofferteshop.com
oxdogpowerribs.com
refurbisheddildo.com
olqadaul.com
jporn.info
gomminnekym.quest
ng-eu.com
luuav.com
icmcitalia.com
carencurefarmacia.com
b8ceex.com
joe-tzu.com
ewenleung.com
once-only.info
venturefable.com
micj7874.com
spiruline-shop.com
vinicz.com
caravancanapy.com
mybonekey.com
927341.com
ktnplot.xyz
ingleseacolazione.com
zeneziz.com
lesakdhj.com
qicogo.com
torontoescorts.xyz
branchingstreamstherapy.com
balajicrackersworld.com
vjqd.top
Targets
-
-
Target
ORS51082.exe
-
Size
996KB
-
MD5
fdce62a590ef3d5c302a7cabc29278fb
-
SHA1
155fedc5ca4878abfd7bbf94445b88f96452745d
-
SHA256
6e7274032f1229b80a0b4d9e4bfef54d27414f287161dd3e1f80a476cbc85c52
-
SHA512
21d37bf4bcafc81b941240d75ab7eb2727bdd6ffaecbeccf9f2173b09f9ce1119dcdac24d6aff7fb5ad2dd209b826bb57719286cc96cc38ce680cdff103182ef
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Xloader Payload
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-