General
-
Target
PFR 2012R2-45137.lzh
-
Size
498KB
-
Sample
210909-gvzh8saggn
-
MD5
7e78c111943858ddd09bd268d492206e
-
SHA1
7343b35365d6d7406a99ec00fd47bba71cd3c7e7
-
SHA256
faaf9067632f27df389f09dd6fc4bec073fc25bec1043672201b312c7f3454c7
-
SHA512
bafef0bae1b58fa97b0c87c278aecd4ddf496a354c55c072113725bdf1431977b05065b3c926ba94f6f05884805111656387c56b9dce98ac0db00368e7095c4d
Static task
static1
Behavioral task
behavioral1
Sample
PFR 2012R2-45137.exe
Resource
win7-en
Malware Config
Extracted
formbook
4.1
ergs
http://www.barry-associates.com/ergs/
jardineriavilanova.com
highkeyfashionboutique.com
willingtobuyyourhouse.com
ysfno.com
bjkhjzzs.com
hexmotif.com
intentionalerror.com
nuu-foundfreedom.com
catalystspeechservices.com
blackmybail.com
xntaobaozhibo.com
site-sozdat.online
45quisisanadr.com
ipawlove.com
yifa5188.com
admm.email
houseoftealbh.com
scale-biz.com
vdvppt.club
loveandlight.life
529jpmorgan.com
pupupe.com
asantejaratmavi.com
stereovisionstudio.com
anhhoangnhatle.com
robrowerealestate.com
accessorthopaedics.com
vanaform.com
hataribeauty.com
karnez.net
meghanariana.com
lawboutique30.com
sailoame.com
waystoearnmoneyontheside.com
alkalides.com
finqian.com
ic-video-editing.co.uk
vomartdesign.xyz
xn--icknb7d2bb8tv280bco4a.com
containerreefer.com
maison-connect.com
fbtowww.com
phoenizoo.com
bet365l6.com
royalglossesbss.com
justiceforashleymoore.com
hupubets.com
technomarkets.info
ahhaads.com
vvbeautystudio.com
ddogo2o4r.online
ameliefantaisie.com
signupforhuntington.com
antibodycovid19testkit.com
kuznecova.center
yuxingo.com
heseasy.site
wilmingtondollshow.com
196197.com
domineaconfeitaria.com
veryzocn.com
regenerativesouls.com
llamshop.com
miami-autoparts.com
Targets
-
-
Target
PFR 2012R2-45137.exe
-
Size
749KB
-
MD5
8fa85ce4b25441a6e45dd6c74cb79670
-
SHA1
1b5ce8ebb1074d89dead6ed83e7c8d6d77a8971f
-
SHA256
6a778cbfb34a637265c39ae5a0a321010998d93fb7183b4e8766a4a2390bf72f
-
SHA512
31c726a677f25ef0dbb688d0b778d527661fda5208da8bd3cb11fc971536b8b2e18ccdeea4008956515a6fd6c1f6d1999884a754e51fc696b5540dbf1c2ec5be
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-