General
-
Target
PO-25 dated 4th., 2020.exe
-
Size
467KB
-
Sample
201109-4z7mx3xljn
-
MD5
2dac96d6f34fae50fe8f431126801ed3
-
SHA1
87e09ae244daa9cde03a23174a659260fdd33325
-
SHA256
8cac0e47c8769e535bb8d4c6fc749aec4be79589a303cc89144cf07b2ba91b91
-
SHA512
3a72a1414f5eb15229c596d282970018d916bdeb83c2bda5a00d98f50a7606f509b935d99689fdd8ed4ada6665c58bc690884f9daf28f910e693684da772ea24
Static task
static1
Behavioral task
behavioral1
Sample
PO-25 dated 4th., 2020.exe
Resource
win7v20201028
Malware Config
Extracted
formbook
http://www.covpsychiz.info/sg03/
resuisse.com
nomoreblow.com
eachmissive.com
ilmionapoli.com
boxingtechnics.com
cognosinstitute.com
wheresmyredun.com
godashin.com
suit-brands.com
fcesr.com
askgalago.com
ravencanyondesigns.com
bianxuexiao.com
hypno-hacks.com
techcarney.com
racingandrecipes.com
malsfoundation.us
liminalspirits.com
jiralabs.com
calebdavidsmith.com
solidlogic.us
silvercloudchicago.com
funeralvoucher.com
lynnsbeautylab.com
rdmeals.net
xietuwen.com
criativistas.com
herdruss.com
rotus-shop.com
double-money-robot.online
picsandpie.com
game-uu.com
wolfpackplayden.com
fitrevenge.com
zuibaxian.net
lebuhorskiy.com
dreamcatcherdesigns.biz
the24k.net
hydraulicstock1.com
thethompsons2019.com
lawayrane.com
djj520.com
ndua8b.top
jlhflm.com
sweetrition.biz
trinity-ig.com
qjdy8250.com
safe-digital-life.info
cyberpunk2077-mods.com
lasaguesera.com
seizeyoursuccessguide.com
wf8vyt.info
topambebi.com
jk-qa.com
visitor.guru
emberswindandfoodfestival.com
drivershelpingdrivers.com
tv16971.info
foodie-jp.com
a1t6.com
segurlistseguros.com
gocorenation.com
wrightlaine.com
daisylim.com
Targets
-
-
Target
PO-25 dated 4th., 2020.exe
-
Size
467KB
-
MD5
2dac96d6f34fae50fe8f431126801ed3
-
SHA1
87e09ae244daa9cde03a23174a659260fdd33325
-
SHA256
8cac0e47c8769e535bb8d4c6fc749aec4be79589a303cc89144cf07b2ba91b91
-
SHA512
3a72a1414f5eb15229c596d282970018d916bdeb83c2bda5a00d98f50a7606f509b935d99689fdd8ed4ada6665c58bc690884f9daf28f910e693684da772ea24
-
Formbook Payload
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-