Overview
overview
10Static
static
1033.exe
windows10-2004-x64
1034.exe
windows10-2004-x64
1035.exe
windows10-2004-x64
1036.exe
windows10-2004-x64
1037.exe
windows10-2004-x64
1038.exe
windows10-2004-x64
1039.exe
windows10-2004-x64
1040.exe
windows10-2004-x64
1041.exe
windows10-2004-x64
1042.exe
windows10-2004-x64
1043.exe
windows10-2004-x64
1044.exe
windows10-2004-x64
1045.exe
windows10-2004-x64
1046.exe
windows10-2004-x64
10General
-
Target
22.zip
-
Size
1.8MB
-
Sample
220902-dzzs1sfdhr
-
MD5
72c75f372a51053c1aedf92cd4b9dece
-
SHA1
38136b40e73c057a43a4ae310ac4632093040d73
-
SHA256
a7c1f4ae5c35b88e68b4d82db4c7e14d53922946d853569b5efd5050e7480229
-
SHA512
8ed1de33634dabdf6a404a8aa061d1f5456cfa0a06df8a8e40a3b6d0c7ef1417ad4b9b4a316d22a7681420edb93676a352208d886113ae21749ce68d3b9d48e9
-
SSDEEP
49152:1GD2jKzAZsfRYFHMAtSUZj7aRacFta8sfRnsfRlGD2QtAhTh:182Oz7RhAEYXsnAUz82QtSh
Behavioral task
behavioral1
Sample
33.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral2
Sample
34.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
35.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
36.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
37.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral6
Sample
38.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
39.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral8
Sample
40.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
41.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral10
Sample
42.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
43.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral12
Sample
44.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
45.exe
Resource
win10v2004-20220812-en
Malware Config
Extracted
xloader
2.9
iewb
n8FLlgIlb1rSEg5hJ9xMbw4hcmR38Q==
5vIAIY+pt81OtWs+FdIEdk7Y
LHIKc+oWGIQUUlfAAtEEdk7Y
ePM/cX2jvHrS
5hvPEw22+fdvmJz3C8FIVq0=
mb9EeX2jvHrS
Dx2zIYNvfjo8VUo5
6jVPnyJekv2RAc4gLKNwEqQ=
KWatHyjdE5Gj1Ng=
t9lk70gzUAZty4qjbVjF
6eUBeFPzKBWT125BFNIEdk7Y
dZUXOIyqTJGj1Ng=
iL3TVh2Jl5QVStnzxcAhIL8=
J1prtyklUfZGR/xDD71IbkWRd2yx
s9FgCOBRW9bU0Y6jbVjF
RYCbQDzcFBhcylgu
Fl0BV/8RJm6F9QRg8LXXTLo=
0dhumHzrCCZ3wdQg7nFF1AlL6Tk=
xvL+iL6wwX+/wH9K4lbZ/A==
N0lVceIFD5Gj1Ng=
5/mnQbHhJ7IzcYjyQbXXTLo=
luHuIKrfNeUkJOfRV0dA8o3Ghkt95g==
yuh2thpBWtHl2ZV48rXXTLo=
ADcuaODkD5eytord4lbZ/A==
PIWRAgq8/zx4aipDyILc
TdUPJBksRZU=
NorCQjrrH5Gj1Ng=
WXUOku0EDZGj1Ng=
4w8mrX8lanCcoWZLU0SkkkSRd2yx
KIYkq/0QN5gPTFK37XszY0fa
s8lIykhdVZjlEA1g8LXXTLo=
AkBw4LE9RQNHkyRsMQ==
fLzVWEjyMarikyRsMQ==
6j1f2ZsFFRpcylgu
zu3YwbBReoIuUh1vdsGonTCDfw==
EGD0PEju53oDSuwu9765d/4KSkXU3Qxh
rc0aZhksRZU=
Un//ZcCsqyaNtEcnt6mLu7Lqdw==
V4Eqwh4FEHqIflW508EYzYSbOeC5
EiWpwJgAFRV5e1r60cAEdk7Y
VW8Pf9PN65HU1otP4lbZ/A==
FFdOyJcMGxpcylgu
KztLpY85vJkLFw==
yh8vtO4GRPQ2kyRsMQ==
qMfrSiqZvghLUyRy/7XXTLo=
eKTGPwmf3swEq2Y3
aoseYSTrlPsvGQ==
Z6tKw0RfgS5+1o6jbVjF
CyU0azDFBZGj1Ng=
7Cy+5co/ZZbhC8dW6eo=
LXmN0EJimQWHylwnbTS6afIlJZHj+Q==
2R2cFWiX1hlZYz2UKh4i12ikiTP55p5Bfg==
jqHcD+eAi5EYlVrJm0TN
cqO55WilyvQ9mG1P4lbZ/A==
BERqtpY6pZDbB8dW6eo=
VpzDHQBueZvY24qjbVjF
OWUELQ6s28NVxom7evrIPfCLfw==
5iO6Dg619fIVQz+Q3I+ZMdmwry4=
d6GiFh7QJaHO2Jxz8bXXTLo=
NlFh6bdVeihxxT1MH+A+TL3MaA==
0PWJHpPJ9zh3nasMO8FIVq0=
19Fom6FBSQ1QrMU=
aYWBmw6431DfHsdW6eo=
Jj7U++2X3M4Eq2Y3
mounscape.com
Extracted
xloader
2.9
fofg
FHyydxpFBs0S8b4ZlP7ZEtd/
EVaCEKb/cVV9xQ==
U9I5lke0IuU7vj5EXus=
rXD3AKPV3qUblOUsV41KMfU=
PwBSy5z56XNzIvnS3ygsKv0=
CQe1BLbSnGXX
HuhKjxhLhxqBy2FFz8WoFA==
QJymezEoLOFZ1T5EXus=
V8r5PAdwuGK2AUARohas
b1XV06ANH9s5uj5EXus=
3EiEhwo7Euw2tl8=
c2PjK8Izkydy5N8x
CXCkYf0m/qPrv8QajKyT6Oo=
pHjy+Mk0CqvWBXdCz8WoFA==
QjSwr3/j5rAyvz5EXus=
+edxANg/sU+k8YFQz8WoFA==
tWiQq3rqyl6cTAG9pA==
GeAyMQxBUOlDwD5EXus=
nQ5eoT2mEKkhDN2DwBek
JP5dIbHlrXXR8umDwBek
BMT8B9n1OyBvqL+WUSgsKv0=
RSeJYDyteizAdQbSCyHeYCCMZL1A
NOgCENlCLthl5TV9YsWpTzHAdjCmUw==
s2npDaPJBhAdm10=
TXr1YfxiKOkqcgfcHV092XmTHA==
aTXN1nHe/gVFvD5EXus=
TS+nK+9V4pW+9cko
GuBk6sExhxNLr7wYhPbZEtd/
oHWjdWHDv228J/jg0q6xYvzLcxRiMhI=
z6pB06UWdBZHuj5EXus=
nZ7gYT4zv3fY
gXHxw16/sjbOAABSuAnZEtd/
m2asNcPsiDe3I27NxByg2XmTHA==
leg4fQ1h3ZG+9cko
AmB4B64SvFJ6t1G2z8WoFA==
7agWYtMw0Wu2yptkrA==
yzl7iRI/QhdFiRV+eQXh2qsEinZosxo=
gcntJ8YrjSVy5N8x
hmi6U/JgAY/CyptkrA==
/2edLM81848QdjaiqyLu051h
57A/tEumUOZ3Nc6c3Q/aQx8Hiq38AvyPxw==
qI77ulvxShNayD5EXus=
IPA6VOUd6xAdm10=
6LAL4bkhuGHG5+WDwBek
06pAU/Af78kc13PYvx2l2XmTHA==
LhRuu47pEuACWUo=
98ue7uq/cVV9xQ==
Vxxkh13O3ZwXwlcqp5L/6OM=
XhYUTkQR6hAdm10=
RQE/ijRllTFI8umlUSgsKv0=
+2bIH8U2olR6PVYuAlnzaCaMZL1A
BMQ9MRDgCcoYGZlxF2gFHXp1
fmrbKPeT/LD1azf/CIEZLeKVCw==
ajSLMtRD25W+9cko
8LTyD9cHcVV9xQ==
mFi1hCWOhw5Huj5EXus=
FXSUHb8h45vFyptkrA==
lWmcMf1mwF2BLzwh/FncUzfPgHZosxo=
guwbCaTRfBKGAXWKUHUf+e90detZ
QhxpJrXlmzdKeRDrnCjfixcSwulI
Thag+Y/veDtRAOqDwBek
Z0Wp7pLMCBAdm10=
bT9HyWnOXhWYztVF4moy2XmTHA==
kXbZHKvU/Iq+9cko
richardcrebeck.com
Targets
-
-
Target
33.exe
-
Size
176KB
-
MD5
a2b59a275d7eb532b4976872fad38cc6
-
SHA1
0006de71b9270b92c74efa8e58586cf2f7ad1e64
-
SHA256
067d5253b293459e5454da99c42f3200f8bf7e2cb4ec0e876aac089ac46fe54b
-
SHA512
5e84c3e7e79019ccb72331e3601b1b4e277ecb0d4728998268ea23e6e41328690596b58c13f53a590379f891b726a5f5c66334aadf74027d8babcdcbd2471777
-
SSDEEP
3072:QdlpkYBi4+lgqcEehWo2z3sCs6dAkkg5opnFi8T2qM1jrkOfmG4X:Sp3+QEeIz3x3dAkkgoFJT21hmr
-
Xloader payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
34.exe
-
Size
180KB
-
MD5
7677c811c83f21eb325cee4e19efd155
-
SHA1
b443ae091cf1f897fc7e3a08fd16d4d1217a995c
-
SHA256
e73d3a2c368dac48144eb131a29b79bafd11fc6434fc2afd8ee512a3bfe4871b
-
SHA512
3b434afc88f534dbdd6727f47101c55d30e46b4b86039ba00356092b9c0693c6a042e117c00bcef4987a587a65b6d8f7992fbb108e2468f268e5e40fe5737e89
-
SSDEEP
3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hd/NYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdOM7j
-
Xloader payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
35.exe
-
Size
176KB
-
MD5
675b7c7ed756d2c9bd3319802029a228
-
SHA1
31b44c6668f81a997cfe99c240a8d9ecd35cbef4
-
SHA256
a16f939e9b65316cddd172484406394ebda2fed078d611d774b942daa6c239dc
-
SHA512
776753c4aba10b83f995580940e1100c88999514e25edf2c172073c2f130d98b92e36d0364b91dc16b97e26263c191f7e025778849b1c8255078234cfbe2e861
-
SSDEEP
3072:bQ9NMqbEzJhsadCKYQIhWEGr+pTJB1qdKXhDD4q0yW6xPJNnwN5GSBCV0BVEm:bcMKQ+aUYIkr+lJ7qIXhDD4q0yHBNnwa
-
Xloader payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
36.exe
-
Size
176KB
-
MD5
d68996bdcd5a2b28de82355a1107fb9f
-
SHA1
f4ac00f5e4864a47da3569e0e75eb051e5ffd2bb
-
SHA256
85668639c9ef2ed33488e13f4cfdb3f90342425c0f7a2ff014e77bd316e5581c
-
SHA512
d7c34972a76078ffde2c0cf7b2be0e39ffb0b070fea4c8b04e7f0e9339a8d1c50c427af659c2f9e634a9c71f04a87d8a54cf4cf8880a0ebdeab5a49f072aa536
-
SSDEEP
3072:LVz5TPJuR4ptWuN9X3kUAJefLJMfC0OfWKHFpfY9kn992ffG57AhohP:NFgOph9noeTJTPnfjnUzoh
-
Xloader payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
37.exe
-
Size
176KB
-
MD5
67dc61588f11f816b92690ea723fcd8e
-
SHA1
73fd5e1d4bc161d5aa803ed1db493ce7cbca5f75
-
SHA256
35876cb065b7b1a590a882ab9b85539d567043c53362208955f69093855e9ea9
-
SHA512
7995ff412f92a72eeffc14633d225fb0bb68bfb5c54f0babd13416be4e11ab035d7f4ea7875de42ddb9fd899f25810b56009ca8b26f6d88d255c59e6f1e89a01
-
SSDEEP
3072:DO+opXUUl1BGq3gjSW7ho/xYTXdS3cR+Z7v+cj5ilpbvHi21PQdk775cxIh0d:DaDzsggjHe/xY7d4cR+Zv+cN4B1IOP5c
-
Xloader payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
38.exe
-
Size
176KB
-
MD5
8d832564ccf944aa80614078e59afca3
-
SHA1
0eb7785515b2acc2c35fd4ec7b822fe97ef884b9
-
SHA256
71d20cb55abb01e4cdb1d2f7a5e61f6048c34079970d5850b785386ca53c7c1a
-
SHA512
c5a1a9acb1da0d57b057e0a1a8141b21f209d50ed838e03ee904364255e4889beaea43173e65d1188cd8057c6ac25f43328f0ba181e7ee34c8b49c34aa41bfc9
-
SSDEEP
3072:xrtRM59Srdxq5+HIbTS4WGRbQ/0oqcMisygnrs4oEV4oyDaShxt/RZG0TQh/mxrC:9I596dYoo3SYbQMogyUY4hV4oyDa87Zi
-
Xloader payload
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
39.exe
-
Size
180KB
-
MD5
12d0de0d9ba0e753b17a5572a3a23822
-
SHA1
19ea0cdd98fbe21fd9b7a6c1a1a681d882c9e973
-
SHA256
b38ccebbce70c75c88be4529e17377d914fcc21b63f9afec651299e68b3346a4
-
SHA512
9f3c978c6793af877209b225bed86745160923f1db142015a0eb542207de43353998e50311914e7e46a29698dd779a2ed855e2d8fa34501bc570fc44144dd856
-
SSDEEP
3072:2TFKD7rLrumkW7yyuMaEaGLoXgeg0KaMQC+t8j9o8mcW7sFBV:gKPrOmYyud/GLoXgj0KajC+Yo8mcCO3
-
Xloader payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
40.exe
-
Size
180KB
-
MD5
12d0de0d9ba0e753b17a5572a3a23822
-
SHA1
19ea0cdd98fbe21fd9b7a6c1a1a681d882c9e973
-
SHA256
b38ccebbce70c75c88be4529e17377d914fcc21b63f9afec651299e68b3346a4
-
SHA512
9f3c978c6793af877209b225bed86745160923f1db142015a0eb542207de43353998e50311914e7e46a29698dd779a2ed855e2d8fa34501bc570fc44144dd856
-
SSDEEP
3072:2TFKD7rLrumkW7yyuMaEaGLoXgeg0KaMQC+t8j9o8mcW7sFBV:gKPrOmYyud/GLoXgj0KajC+Yo8mcCO3
-
Xloader payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
41.exe
-
Size
176KB
-
MD5
228b0bc29a751779e97f60e14a1b9f57
-
SHA1
0c735257db6d9afc8ee6a656a8634310411a049f
-
SHA256
5480ecfb5e60326a88fe45eb2adf3d9bc67e26fc2fc7800609a467e6a5f77444
-
SHA512
9a22551428299be14f05dfe3f0f1d710a1a15b794da3e0671abadd934fc576ba022458579d73cfe777c3599fd3c8859c118fa1b632cc7ce2c67108ad42af95f1
-
SSDEEP
3072:yTjyF3P55Z+0IhW59LQUlOsdZNjIZfR5/VUmhFaIItneeVw65z:33h5JI8LQKj3NjIZfR5/uCFaIItlVw6
-
Xloader payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
42.exe
-
Size
180KB
-
MD5
12d0de0d9ba0e753b17a5572a3a23822
-
SHA1
19ea0cdd98fbe21fd9b7a6c1a1a681d882c9e973
-
SHA256
b38ccebbce70c75c88be4529e17377d914fcc21b63f9afec651299e68b3346a4
-
SHA512
9f3c978c6793af877209b225bed86745160923f1db142015a0eb542207de43353998e50311914e7e46a29698dd779a2ed855e2d8fa34501bc570fc44144dd856
-
SSDEEP
3072:2TFKD7rLrumkW7yyuMaEaGLoXgeg0KaMQC+t8j9o8mcW7sFBV:gKPrOmYyud/GLoXgj0KajC+Yo8mcCO3
-
Xloader payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
43.exe
-
Size
180KB
-
MD5
4655391b02be2427e3f1985ec687678b
-
SHA1
6c05c1d258e3dfddd7b10053ab7d5574720678f7
-
SHA256
8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0
-
SHA512
2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661
-
SSDEEP
3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j
-
Xloader payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
44.exe
-
Size
180KB
-
MD5
4655391b02be2427e3f1985ec687678b
-
SHA1
6c05c1d258e3dfddd7b10053ab7d5574720678f7
-
SHA256
8ff8e3b32d53e0c28d01f3487add2a6f12cbb493449b401382951b02c06777f0
-
SHA512
2b0411b8478a39bec3dec6abe0c3e522f95a90addbbd2bde9bbda25779aba3abbcef926134b7cc746c7811bcda7e6a9192b1bc56efbbf047a9fd93bbd2e4c661
-
SSDEEP
3072:MT2jRLlS/s+YDWhRW08JgsJZUzjsL54hdiNYKgd9m7YapOW:Fjpo3Yn08J7jUPi54hdtM7j
-
Xloader payload
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-
-
-
Target
45.exe
-
Size
176KB
-
MD5
8918e6c9574a82a76d88ef4bdbcc7f07
-
SHA1
9ca1f7bfffdd5b62e77e2b98a9938ba0eb35f314
-
SHA256
4daaf3f047b0319b51b19ece40173f2fc691cb94651f744545ebe84da9383da9
-
SHA512
ce9e494ed7a76f8ef368ced6a18bbd5bfe203eb05177c70ecd1394fd812681be2b1e8a6de57441f050b75f9f28a991887ddf57070908cc62b9cd12384d8fc3b9
-
SSDEEP
3072:QdlpkYBi4+lgqcEehWo2z3sCs6dAkkg5opIFi8T2qM1jrkOfmG4X:Sp3+QEeIz3x3dAkkgoMJT21hmr
-
Xloader payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
-
-
Target
46.exe
-
Size
180KB
-
MD5
8ae4b54233e81b57019d4b5a99bd8c2a
-
SHA1
26fd130c30a1d71e45c75938c0f2c6d30b8a1536
-
SHA256
f690ffee38ecd975fe66819463977ed1189c660c1a72db4cb8b6a957ea72fb6b
-
SHA512
3445faa35303e0d790d24085da79edd8760efb2345bb000b6f3481f2219df1cc2f201fb00bfc3a4d3e490ecd0b5f527f2f00339ff42e07393fd8fa3a48603887
-
SSDEEP
3072:3zUFGeFw82qbnsBWD4rF6aA/lY4RRSR5NClaYA5jmluZOsr1IW:YFG6ZVbnsDrFTAG4RRYCla/RrHI
-
Xloader payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-