General
-
Target
worked.exe
-
Size
776KB
-
Sample
210121-gy72kezlax
-
MD5
a8417cfd71637c7371986737cff269cf
-
SHA1
62764e915771688218d9e93d139a85f8d983e2b8
-
SHA256
ed806d196c4c8573b7044e2a1f98f01527947c6e95e97a6e9b061ede6ec75664
-
SHA512
35af7f1511402987a6abcb14ce1be7ccfeaee5fa11ae6c66eb9b1ac0d3dd6690e6f1be8e1163c90b8104b4845da89d7468484b730dc669340694a7a21feeb181
Static task
static1
Behavioral task
behavioral1
Sample
worked.exe
Resource
win7v20201028
Malware Config
Extracted
formbook
http://www.maalkhairaatwosu.com/zn7/
xaozal.com
yanafarms.com
domennyarendi64.net
bumiflogrance.com
cre8tivspace.com
s3video.com
eshelwoodwork.com
centaurme.com
novarticle.com
jbastavi.com
hueandboldcreative.com
phraeudom.com
bright.discount
brandonandrana.com
budundergisi.xyz
wedochin.com
cryptowaveride.com
dunnwrightconst.com
hakador.net
costcostock.com
journeysenterprises.com
tuhocnet.com
yourfitential.com
kingomauctions.com
goodiscs.com
wzqp7.com
alamolog.com
primerpuntoferretero.com
sharonrebucas.com
redtentmotorhomes.com
searko.com
gildcash.com
campsensation.com
myfreeinvitation.com
esuenud.com
yourbeachholiday.com
myvisscard.com
wasalnygroup.com
mvuraskin.com
crystalwiththecrystalz.com
pincmd.com
sgh.plus
arkediem.com
24hrsby7.com
andreygrizenko.online
liveincrestline.com
wearecdi.com
imagestexas.com
tranz4mations.com
helixcoffeehouse.com
investmentresourcesaz.com
a-miin.com
marisadelucia.com
minileprix.com
salesfunnelfairy.net
necroticpowerful.xyz
devarista.tech
peterbreuer.com
greenlandbuilders.com
davidgaleano.com
redfalken.com
idiocy.online
noahbrewer.net
alkhaleejnews.net
Targets
-
-
Target
worked.exe
-
Size
776KB
-
MD5
a8417cfd71637c7371986737cff269cf
-
SHA1
62764e915771688218d9e93d139a85f8d983e2b8
-
SHA256
ed806d196c4c8573b7044e2a1f98f01527947c6e95e97a6e9b061ede6ec75664
-
SHA512
35af7f1511402987a6abcb14ce1be7ccfeaee5fa11ae6c66eb9b1ac0d3dd6690e6f1be8e1163c90b8104b4845da89d7468484b730dc669340694a7a21feeb181
-
Formbook Payload
-
Deletes itself
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-