General
-
Target
BOM Contracting and General Supplies.js
-
Size
22KB
-
Sample
211011-hn8zrsgegn
-
MD5
81a0010758bb3da2796a7506bfd4aab3
-
SHA1
ffc61c27e1a58878878e7b2b44c97ec23c0e09d2
-
SHA256
3f82447c548d6d623ddc3f9965363df07f52cdf8eda955c55332196ee409e4c6
-
SHA512
9521ed85e7a83eb890f706add3da9c29d29bd5c5b4a535541df9eb4072f4944fff34643289955ddf37be16f3cf815a8f77392cc656c0bb85506211ec28680779
Static task
static1
Behavioral task
behavioral1
Sample
BOM Contracting and General Supplies.js
Resource
win7v20210408
Malware Config
Extracted
formbook
4.1
k9d0
http://www.dotgroup-email.com/k9d0/
flourishpodcast.xyz
xn--nga.group
music-tomato.com
motory.store
arrivehike.info
xn--diseowebseo-4db.com
centpourcentsons.com
qnnjja005.xyz
annielynnrose.com
darlaevans.com
door-maximum.com
chinataibaifen.com
stickerhicks.com
ta2gamesstudio.com
jendelanews.com
milestoneneuro.com
premierconciergehomes.com
exitcounter.com
jrsway.com
famurainmobiliaria.com
rutielvoitte.xyz
dhft.xyz
fshesan.com
farmaciavicentellaudesfmas.com
aolchattranscripts.com
huangzh.store
treybenson.com
globalnepalimusicaward.com
red0rangejuice.com
getfreemushrooms.net
miro24.icu
agiatektro.com
nature-hugreen.com
hiaey.online
mysupersol.com
ordermeikingpawtucket.com
xyaomao.com
epistledigital.com
robertgeniesse.com
6m8r6i.icu
metalodging.com
mailez1.net
fondoimpresadonna.com
suckhoemoingay26.website
palakasorel.rest
expanchemlcals.com
itfgf.xyz
hindiepustakalaya.com
axieinfiniti.net
med-news.club
geekgarment.com
sanaviiva.xyz
unicouno.com
northcromepoa.com
sanclementesportsacademy.com
ventasjustin.com
d7snv.xyz
yutasblog.com
kingcloud88.com
ijibejivv.xyz
routhchafe.com
arcane-sentinels.com
sscd5g.icu
seo-kumar.com
Targets
-
-
Target
BOM Contracting and General Supplies.js
-
Size
22KB
-
MD5
81a0010758bb3da2796a7506bfd4aab3
-
SHA1
ffc61c27e1a58878878e7b2b44c97ec23c0e09d2
-
SHA256
3f82447c548d6d623ddc3f9965363df07f52cdf8eda955c55332196ee409e4c6
-
SHA512
9521ed85e7a83eb890f706add3da9c29d29bd5c5b4a535541df9eb4072f4944fff34643289955ddf37be16f3cf815a8f77392cc656c0bb85506211ec28680779
-
Modifies WinLogon for persistence
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Formbook Payload
-
Blocklisted process makes network request
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-