General
-
Target
CMA-CGM_BOOKING CONFIRMATION.exe
-
Size
136KB
-
Sample
211014-sgrr1safgm
-
MD5
8d8de7800608937b14d10bd67119606c
-
SHA1
bc31409f73d7cae389fb0a7f6d43c4559cdf3b24
-
SHA256
312a98e7e1ce67e997898b9fc725d99a2eb0ac2e9e6b1d316f9f5c99ed3a3223
-
SHA512
92b5241333d0fe0cd303be979e226be5bd69b5656a733c5a867f5415923773561a584ff5ee15113b727299d11a94f474b624173a8c8b4807711644caa6a7d7d7
Static task
static1
Behavioral task
behavioral1
Sample
CMA-CGM_BOOKING CONFIRMATION.exe
Resource
win7-en-20210920
Malware Config
Extracted
formbook
4.1
nff
http://www.yellow-wink.com/nff/
shinseikai.site
creditmystartup.com
howtovvbucks.com
betterfromthebeginning.com
oubacm.com
stonalogov.com
gentrypartyof8.com
cuesticksandsupplies.com
joelsavestheday.com
llanobnb.com
ecclogic.com
miempaque.com
cai23668.com
miscdr.net
twzhhq.com
bloomandbrewcafe.com
angcomleisure.com
mafeeboutique.com
300coin.club
brooksranchhomes.com
konversiondigital.com
dominivision.com
superiorshinedetailing.net
thehomechef.global
dating-web.site
gcbsclubc.com
mothererph.com
pacleanfuel.com
jerseryshorenflflagfootball.com
roberthyatt.com
wwwmacsports.com
tearor.com
american-ai.com
mkyiyuan.com
gempharmatechllc.com
verdijvtc.com
zimnik-bibo.one
heatherdarkauthor.net
dunn-labs.com
automotivevita.com
bersatubagaidulu.com
gorillarecruiting.com
mikecdmusic.com
femuveewedre.com
onyxmodsllc.com
ooweesports.com
dezeren.com
foeweifgoor73dz.com
sorchaashe.com
jamiitulivu.com
jifengshijie.com
ranchfiberglas.com
glendalesocialmediaagency.com
icuvietnam.com
404hapgood.com
planetturmeric.com
danfrem.com
amazonautomationbusiness.com
switchfinder.com
diversifiedforest.com
findnehomes.com
rsyueda.com
colombianmatrimony.com
evan-dawson.info
Targets
-
-
Target
CMA-CGM_BOOKING CONFIRMATION.exe
-
Size
136KB
-
MD5
8d8de7800608937b14d10bd67119606c
-
SHA1
bc31409f73d7cae389fb0a7f6d43c4559cdf3b24
-
SHA256
312a98e7e1ce67e997898b9fc725d99a2eb0ac2e9e6b1d316f9f5c99ed3a3223
-
SHA512
92b5241333d0fe0cd303be979e226be5bd69b5656a733c5a867f5415923773561a584ff5ee15113b727299d11a94f474b624173a8c8b4807711644caa6a7d7d7
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Deletes itself
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-