General
-
Target
5d2be550db7b54a3bb218ccc00904299863d2acc71095fc28d470488b0f1aca0
-
Size
194KB
-
Sample
241121-zrqe9sxpat
-
MD5
9dc0365f7e8d437f9d85797c02e65370
-
SHA1
4a78a78b00f5e5054051ed5e582d7fdb639d96c8
-
SHA256
5d2be550db7b54a3bb218ccc00904299863d2acc71095fc28d470488b0f1aca0
-
SHA512
095642c3e10a9b1251c83102110d814db7914f740a86b1bea74e5a817af2ff582215a2223d951cf193f9c870e947a89567f70bfe01a88eb3828749c98aabcfa1
-
SSDEEP
3072:oWAObH4JhkLh/jdD8GDmh2MCGki7LpAzg6AZowGc+d6QLNWUFo8Sf/9b6mdrX:ppShk5jdwGKh2MPfUgX7ZQLzkBrX
Static task
static1
Behavioral task
behavioral1
Sample
d2d96154024ca3137cd2e84d367053ea8e0de0459a781356577a3ba775c1fb8e.js
Resource
win7-20240903-en
Malware Config
Extracted
xloader
2.5
pzi0
laylmodest.com
woruke.club
metaverseslots.net
syscogent.net
aluxxenterprise.com
lm-solar.com
lightempirestore.com
witcheboutique.com
hometech-bosch.xyz
expert-netcad.com
poteconomist.com
mycousinsfriend.biz
shineveranda.com
collegedictionary.cloud
zqlidexx.com
businessesopportunity.com
2utalahs4.com
participatetn.info
dare2ownit.com
varser.com
gxo.digital
networkroftrl.xyz
renturways.com
theprooff.com
ncgf06.xyz
lighterior2.com
one-seo.xyz
benzprod.xyz
k6tkuwrnjake.biz
robinlynnolson.com
ioptest.com
modern-elementz.com
baetsupreme.net
lapetiteagencequimonte.com
xn--bellemre-60a.com
bringthegalaxy.com
shopnobra.com
maroondragon.com
pandemictickets.com
intelligentrereturns.net
quietshop.art
anarkalidress.com
wasserstoff-station.net
filmweltruhr.com
buck100.com
maxicashprommu.xyz
studiosilhouettes.com
lightningridgetradingpost.com
zhuanzhuan9987.top
mlelement.com
krystalsescapetravels.com
simplyabcbooks.com
greenhouse1995systems.com
altogetheradhd.com
servicedogumentary.com
cdcawpx.com
motometics.com
palisadesattahoe.com
paradgmpharma.com
microexpertise.com
venkycouture.online
maculardegenerationtsusanet.com
atlasbrandwear.com
karegcc.com
buffstaff.com
Targets
-
-
Target
d2d96154024ca3137cd2e84d367053ea8e0de0459a781356577a3ba775c1fb8e
-
Size
354KB
-
MD5
4e5cc8fddecae16e747e6b1a48b31cd5
-
SHA1
9195d4069bc82b38261bb9ec58333921e7164eac
-
SHA256
d2d96154024ca3137cd2e84d367053ea8e0de0459a781356577a3ba775c1fb8e
-
SHA512
fa27ad2184bc22d0d7784e1ecffd049266c43b196635373e73280d71e244061687113143361e8466f29f489259afd0b18e8c50ffb37007cc199fea0e28475ad1
-
SSDEEP
6144:MFy6iTj2GQabp6O5GiyPXg6FRC5epPNmyJn6kiMJ+ME5fSKO37S:MFy6NagigXg6FR7NmyJGMfExSPG
-
Formbook family
-
Vjw0rm family
-
Xloader family
-
Xloader payload
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1