General
-
Target
09021.gz
-
Size
523KB
-
Sample
210921-n2axsacaep
-
MD5
bacd65cdd5bac7dffd56f6c9d8f8236b
-
SHA1
44e1e92010cbc510764461ce58aedf518cf8562c
-
SHA256
daf2171fbf6da5a14b9ac720e3f6a1f75d8d7c1d3e3be02c308ae4faa854eb65
-
SHA512
6f0071c2c6a1fd70836b69d682c6c37efbb1bd9906f32a8c34ed89aa1c08648420f6f9b6c5b221503aec6306b55d1585b7e15f874564e9894e074997af6d1d9d
Static task
static1
Behavioral task
behavioral1
Sample
09021.exe
Resource
win7v20210408
Malware Config
Extracted
formbook
4.1
o4ms
http://www.nocodehost.com/o4ms/
fishingboatpub.com
trebor72.com
qualitycleanaustralia.com
amphilykenyx.com
jayte90.net
alveegrace.com
le-fleursoleil.com
volumoffer.com
businessbookwriters.com
alpin-art.com
firsttastetogo.com
catofc.com
ref-290.com
sbo2008.com
fortlauderdaleelevators.com
shanghaiyalian.com
majestybags.com
afcerd.com
myceliated.com
ls0a.com
chautauquapistolpermit.com
cq1937.com
riafellowship.com
sjzlyk120.com
onlinerebatemall.com
bjlmzmd.com
services-neetflix-info.info
khaapa.com
thehgboutique.com
iconndigital.com
ninjavendas.com
zeonyej.icu
iddqdtrk.com
taoy360.info
conanagent.icu
mobileflirting.online
lorrainelevis.com
bakerrepublic.com
tfi50.net
mildlobr.com
turnkeypet.com
instarmall.com
contilnetnoticias.website
symbiocrm.com
earn074.com
swapf.com
daveydavisphotography.com
notes2nobody.com
pensje.net
nanoplastiakopoma.com
inlandempiresublease.com
donaldjtryump.com
secondinningseva.com
zumohub.xyz
torbiedesigns.com
koastedco.com
lifestyleeve.com
purposepalacevenue.com
risk-managements.com
doluhediye.com
revolutionarylightworkers.com
smithridge.net
share-store.net
jastalks.com
Targets
-
-
Target
09021.exe
-
Size
592KB
-
MD5
2536c125edc35ac5061b596308ff8dcd
-
SHA1
d0506e1bcdb5c8a3714ccb0fa6603173ade0baf7
-
SHA256
d9cc0ba64d20a3a60f1580c74ff1269f5b545a0abf23362cbc678b12057a6cf3
-
SHA512
f2e22c98a7a1986178413aa7661707973b6357fe3c2576f12e7b0a4817693f559a0aa6edae364b7c94875058d1e2dc91efeb4d2d05a826a060fa21cf14918521
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-