General
-
Target
c293d4d9e720d02c39bdf666a07c503afd2fa0a2999b4ac75fe652f0723a7f8f
-
Size
1.7MB
-
Sample
221125-j71ceadd27
-
MD5
6e3ddfb05767bf1e938606b00441da04
-
SHA1
4ab7fbc73f04b823a3f3f474a6cb7ca52d79b254
-
SHA256
c293d4d9e720d02c39bdf666a07c503afd2fa0a2999b4ac75fe652f0723a7f8f
-
SHA512
e2d132c680b68ac1222b1e71e0c5f40b62a0e4499ab35c1b248f0c28b27183d2b93351593900a612b854c2bb885722845ff4cfe24fa8e99a261f3eeea5c192ae
-
SSDEEP
3072:iPKCblLCdC1TcIFr33QxB4KU5YGdOr/82fKcejIXWrNo3aVQ:A
Static task
static1
Behavioral task
behavioral1
Sample
c293d4d9e720d02c39bdf666a07c503afd2fa0a2999b4ac75fe652f0723a7f8f.exe
Resource
win7-20220812-en
Malware Config
Extracted
xloader
2.3
csv8
slgacha.com
oohdough.com
6983ylc.com
aykassociate.com
latin-hotspot.com
starrockindia.com
beamsubway.com
queensboutique1000.com
madbaddie.com
bhoomimart.com
ankitparivar.com
aldanasanchezmx.com
citest1597669833.com
cristianofreitas.com
myplantus.com
counterfeitmilk.com
8xf39.com
pregnantwomens.com
yyyut6.com
stnanguo.com
fessusesefsee.com
logansshop.net
familydalmatianhomes.com
accessible.legal
epicmassiveconcepts.com
indianfactopedia.com
exit-divorce.com
colliapse.com
nosishop.com
hayat-aljowaily.com
soundon.events
previnacovid19-br.com
traptlongview.com
splendidhotelspa.com
masterzushop.com
ednevents.com
studentdividers.com
treningi-enduro.com
hostingcoaster.com
gourmetgroceriesfast.com
thesouthbeachlife.com
teemergin.com
fixmygearfast.com
arb-invest.com
shemaledreamz.com
1819apparel.com
thedigitalsatyam.com
alparmuhendislik.com
distinctmusicproductions.com
procreditexpert.com
insights4innovation.com
jzbtl.com
1033325.com
sorteocamper.info
scheherazadelegault.com
glowportraiture.com
cleitstaapps.com
globepublishers.com
stattests.com
brainandbodystrengthcoach.com
magenx2.info
escaparati.com
wood-decor24.com
travelnetafrica.com
herbmedia.net
Targets
-
-
Target
c293d4d9e720d02c39bdf666a07c503afd2fa0a2999b4ac75fe652f0723a7f8f
-
Size
1.7MB
-
MD5
6e3ddfb05767bf1e938606b00441da04
-
SHA1
4ab7fbc73f04b823a3f3f474a6cb7ca52d79b254
-
SHA256
c293d4d9e720d02c39bdf666a07c503afd2fa0a2999b4ac75fe652f0723a7f8f
-
SHA512
e2d132c680b68ac1222b1e71e0c5f40b62a0e4499ab35c1b248f0c28b27183d2b93351593900a612b854c2bb885722845ff4cfe24fa8e99a261f3eeea5c192ae
-
SSDEEP
3072:iPKCblLCdC1TcIFr33QxB4KU5YGdOr/82fKcejIXWrNo3aVQ:A
-
Modifies WinLogon for persistence
-
Turns off Windows Defender SpyNet reporting
-
Xloader payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-