General
-
Target
PO20210120.exe
-
Size
943KB
-
Sample
210121-srjhres2ln
-
MD5
6fc44193a2a79ad1bd15606386bb0cb0
-
SHA1
d76e50ba12ea567584f9ee992b60bbf838be3c0a
-
SHA256
82c118d71fb0433b051b37a040f31f2455ceb3ddd01b7d314cf6b1f4648d454d
-
SHA512
554fa9c246a5284cf6f273cd13e744875150a5ac15d6443a46116a3e311ed60feafde4c9364f8d23dfef22bf1abb38a1bae2c21405c94a68489376a04a1c96ec
Static task
static1
Behavioral task
behavioral1
Sample
PO20210120.exe
Resource
win7v20201028
Malware Config
Extracted
formbook
http://www.adamjbrowne.com/knb/
nona-home.com
themundoverdeproject.com
nhlkrakenfans.com
mak-bauunternehmung.com
public-secret.com
exitumgestao.com
stopforeclosurenow.net
citestbiz1597776507.com
kythuatxetnghiemyhoc.com
longislandeventplanner.com
uaetechworld.com
centretabacstop.net
jomelvendivel.com
agricultureesm.com
successwithspencer.com
companywars.net
terrellhillsdirectory.com
ngldwyy.com
cwiprinting.net
lnstagramgetverifyaccounts.site
celerationeducation.com
moodrops.com
connorwill.com
jackwoodguitar.com
healthytreatsandmore.com
treasurespartyrental.com
completeservicos.com
byteart.club
kreationsbyittybitty.com
studiomaternofetal.com
fastecourses.com
mahlatblog.com
morkiehouse.com
livefreegoddess.love
asyadizicevirileri.com
xn--u2u404a3kr5xb.com
surptalb.xyz
stockbrokerpotential.xyz
arigibicalis.com
contactorsplan.com
huaxichenfei.com
856380163.xyz
martid-2006.com
inspirationalsblog.com
tienda-sky.com
higherresin.com
occasioncelebrations.com
mybeesplatform.com
elementary-farming.com
bandao56.com
fivebyfivefglobal.com
sandeepasblog.com
nirvanatopshelf.net
jncwjzgc.com
zauhaus.com
librasnacks.com
thefashiondaily.net
piecegig.com
astaxanthinsavedme.com
rileypm.com
the-champions-club.com
vkdeb.site
eco-decking.com
onlinecryptoforexminers.com
Targets
-
-
Target
PO20210120.exe
-
Size
943KB
-
MD5
6fc44193a2a79ad1bd15606386bb0cb0
-
SHA1
d76e50ba12ea567584f9ee992b60bbf838be3c0a
-
SHA256
82c118d71fb0433b051b37a040f31f2455ceb3ddd01b7d314cf6b1f4648d454d
-
SHA512
554fa9c246a5284cf6f273cd13e744875150a5ac15d6443a46116a3e311ed60feafde4c9364f8d23dfef22bf1abb38a1bae2c21405c94a68489376a04a1c96ec
-
Formbook Payload
-
Deletes itself
-
Enumerates physical storage devices
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext
-