General
-
Target
PO LS632911DX.exe
-
Size
823KB
-
Sample
210726-8r5m975kpx
-
MD5
27816f5bbff9bb6d4cc2e1be225a435b
-
SHA1
fd1f06a502d374711697015cc897fdb28e402e16
-
SHA256
c2a7767b9323fd3630a56a3fb09a7884bd7dfb0f7146d5caafff472205e1ebdc
-
SHA512
4bee32d2df168aeba05ceb9e511f84d4a7aa5d08c96047cf6ca0f3241e6d4fb8e4cf5e1cee3e6389e9ceaca400769032bd85b5f323975fdbed4963a3e5a7a217
Static task
static1
Behavioral task
behavioral1
Sample
PO LS632911DX.exe
Resource
win7v20210410
Malware Config
Extracted
formbook
4.1
http://www.survivai.com/bsdd/
533dh.com
galerisikayet.xyz
tipsyalligator.com
crystalwellnessstudio.com
moovaap.com
lelfie.network
speedy-trips.com
prospectsolucoes.com
24x7customersservice.com
szbinsen.com
shikhardeals.com
totaldenta.com
ayksjx.com
avxrja.online
24kyule888.com
ufaw.net
spinozone.com
castvoicesmsreg.com
lajollawoodworks.com
renetyson.com
stephanieodennewsletter.com
tuben8.com
thescriptshack.com
macooperativeinc.com
franklinmachado.com
breezeescape.com
conv2app.com
kreditkarten-profi.com
czscjx.com
pvj2019.com
boosagroup.com
inesperienced.com
leschenaultpottery.com
sitvsfit.net
dwsykj.com
touchsquad.com
healthythomas.com
lphomeinspections.com
officialbondandunion.com
snowgreerfamilymemories.com
superheroesindisguise.com
topimportant.com
drillinginsider.com
esflog.net
baliyogacruise.net
sdys999.com
rugpat.com
solarpollo.com
kindrehearts.com
marijuana-medicine.com
thefinal7.com
guardiadeorixa.com
kayeducates.com
francorp.business
wegatherwegrow.com
quientequitalobailado.net
ghostridercreative.com
rachaeveal.com
sourcesysstems.com
xiuli100.com
xmjer.com
support-center-login.network
conversoronlline.com
misinformationnationmovie.com
Targets
-
-
Target
PO LS632911DX.exe
-
Size
823KB
-
MD5
27816f5bbff9bb6d4cc2e1be225a435b
-
SHA1
fd1f06a502d374711697015cc897fdb28e402e16
-
SHA256
c2a7767b9323fd3630a56a3fb09a7884bd7dfb0f7146d5caafff472205e1ebdc
-
SHA512
4bee32d2df168aeba05ceb9e511f84d4a7aa5d08c96047cf6ca0f3241e6d4fb8e4cf5e1cee3e6389e9ceaca400769032bd85b5f323975fdbed4963a3e5a7a217
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext
-