General
-
Target
BK8476699_BOOKING.exe
-
Size
465KB
-
Sample
210909-fqt8aaagcr
-
MD5
0184924485a5bb35957ca5102af07b50
-
SHA1
e52aad204a9e5b6914885fc7325a44a1e088ca28
-
SHA256
024490bf99d2b77dc7943a5932bba385948feb7416fc434992593e72bad4782a
-
SHA512
bb7be885c9a3a71935ee5c916d89e223fed4362794132848fb0248ce1ba70801c81bdbfe5de35d6ce394e503f5ab276d9624c1325cfec822d02453882458682d
Static task
static1
Behavioral task
behavioral1
Sample
BK8476699_BOOKING.exe
Resource
win7-en
Malware Config
Extracted
formbook
4.1
nff
http://www.yellow-wink.com/nff/
shinseikai.site
creditmystartup.com
howtovvbucks.com
betterfromthebeginning.com
oubacm.com
stonalogov.com
gentrypartyof8.com
cuesticksandsupplies.com
joelsavestheday.com
llanobnb.com
ecclogic.com
miempaque.com
cai23668.com
miscdr.net
twzhhq.com
bloomandbrewcafe.com
angcomleisure.com
mafeeboutique.com
300coin.club
brooksranchhomes.com
konversiondigital.com
dominivision.com
superiorshinedetailing.net
thehomechef.global
dating-web.site
gcbsclubc.com
mothererph.com
pacleanfuel.com
jerseryshorenflflagfootball.com
roberthyatt.com
wwwmacsports.com
tearor.com
american-ai.com
mkyiyuan.com
gempharmatechllc.com
verdijvtc.com
zimnik-bibo.one
heatherdarkauthor.net
dunn-labs.com
automotivevita.com
bersatubagaidulu.com
gorillarecruiting.com
mikecdmusic.com
femuveewedre.com
onyxmodsllc.com
ooweesports.com
dezeren.com
foeweifgoor73dz.com
sorchaashe.com
jamiitulivu.com
jifengshijie.com
ranchfiberglas.com
glendalesocialmediaagency.com
icuvietnam.com
404hapgood.com
planetturmeric.com
danfrem.com
amazonautomationbusiness.com
switchfinder.com
diversifiedforest.com
findnehomes.com
rsyueda.com
colombianmatrimony.com
evan-dawson.info
Targets
-
-
Target
BK8476699_BOOKING.exe
-
Size
465KB
-
MD5
0184924485a5bb35957ca5102af07b50
-
SHA1
e52aad204a9e5b6914885fc7325a44a1e088ca28
-
SHA256
024490bf99d2b77dc7943a5932bba385948feb7416fc434992593e72bad4782a
-
SHA512
bb7be885c9a3a71935ee5c916d89e223fed4362794132848fb0248ce1ba70801c81bdbfe5de35d6ce394e503f5ab276d9624c1325cfec822d02453882458682d
-
Formbook Payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-