General
-
Target
Documento.exe
-
Size
865KB
-
Sample
210806-w16642ztwe
-
MD5
d8abd4f86a18863e236bd2f3118344f4
-
SHA1
72f6c8df84b627ece609e249b530c2e8bba949fc
-
SHA256
c70917b8034aedf54cf578fa9db38399a6129376bc7d06cacd6b324fed45c5a7
-
SHA512
448371b54e18cd656d4627dfdc38fe6b32f7e5d2ef07e4b644c8a0bd016d9ba8d4240130e3124c33cbfd582cabdc4d6e38bf22b65335ded51b313cf688aa6692
Static task
static1
Behavioral task
behavioral1
Sample
Documento.exe
Resource
win7v20210410
Malware Config
Extracted
formbook
4.1
kd8k
http://www.drtimgood.com/kd8k/
khjbhqpha.com
edukasiinvestor.com
jokysun.com
remnantfund.com
yolevin.com
namshicontrole2.com
manayikorean.site
ysy.mobi
netconzulting.com
deeparchivesvpn.com
kiemmieng.com
guptavegetables.com
walihamidullahthetraveller.com
littlehamptonacres.com
pause-to-simplify.com
famehound.com
artthatsells.net
hickorymontessori.com
enjoyitpestfree.com
linuxliang.com
toorden.com
vspbavjm.asia
therightref.com
springfibre.net
tumorpedia.com
ppark.tech
perfectohydrodrill.com
vivelaprovince.com
elevatedfromwithin.com
vidudio.com
acostaportal.com
newmillenniumwheels.com
emidhotels.com
teletrabajadesdelaplaya.com
audrunner.com
novaraweb.net
tbookslide.com
maskuni.com
ezolimo-corporation.com
educatoredwards.com
ammosquare.com
safeyourcity.com
trucksrrollinginternational.com
yaqinuo-beauty.com
greatthingsforme.com
cidrobosas.com
asesoriamentai.com
paradisemodafemenina.com
assuredoutcomesllc.com
zs597.com
impactpittsburg.com
argusmessaging.com
marketingconjoha.com
applite-autodesbloqueio.com
extop.net
greatplacetoliveforseniors.com
repcitylove.com
inweli.com
qls126-vh.com
lansdaledentists.com
lmmry.com
domaine-dezat.wine
her-haircollection.com
catoseo.com
Targets
-
-
Target
Documento.exe
-
Size
865KB
-
MD5
d8abd4f86a18863e236bd2f3118344f4
-
SHA1
72f6c8df84b627ece609e249b530c2e8bba949fc
-
SHA256
c70917b8034aedf54cf578fa9db38399a6129376bc7d06cacd6b324fed45c5a7
-
SHA512
448371b54e18cd656d4627dfdc38fe6b32f7e5d2ef07e4b644c8a0bd016d9ba8d4240130e3124c33cbfd582cabdc4d6e38bf22b65335ded51b313cf688aa6692
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-