General
-
Target
DO854.exe
-
Size
720KB
-
Sample
211015-hmjngsafc8
-
MD5
bcb6b1075cf6afcf43d06046b3c9ee3e
-
SHA1
0062dbb25b586cd8e20cc79e309c1087ea6f055f
-
SHA256
a9ab19b5e80ce04548b75d379c494d3113f71dfa81afaf23b512e7ee23ef6667
-
SHA512
f088debbb62d3d07f0e0f186849de585ccc9f4ebff3402b98c0a473c0a23a4da635d3b0a592c88c2dc3b65896ecf0b5b40886576720110d50f37f074f867c2a6
Static task
static1
Behavioral task
behavioral1
Sample
DO854.exe
Resource
win7-en-20210920
Malware Config
Extracted
formbook
4.1
fzsg
http://www.grouplmc.com/fzsg/
thewetpatch.wtf
oceanfrontrecords.com
ultimatemecha.com
domainnameshq.com
schieksrvservice.com
bedandbreakfastitalia.cloud
rfmlc.com
hightechvids.com
greenvilledermotolgy.com
psilocybinforu.com
xjkerwen.com
euro-d-rev.com
shans-online.com
masterofcrypto.com
gamodaitaliana.online
lavivabet217.com
femsol.online
qafyzey.site
kang17.xyz
kilimlove.com
absolutadventures.com
flpfit.com
march2meta.com
white-stag.com
yuminxing.com
doohoeek.com
cuellarjewelry.com
amatoauthor.com
redkentrecords.com
982379.com
exchangegarment.com
tonymarra.net
fazenbaker.email
thotexperiment.net
redstreetinfo.cloud
cfhuijin.com
zjjyfd.com
protracksbackingtracks.online
forexcord.com
academe.tips
desertclouds.net
wa1399.xyz
myshopi8fy.com
1mm5frev.xyz
ibtfwdsfbcncrnuenh.net
rustydrewingchevrolet.com
jlab-jobs.com
yoshiki628.top
cft8j.com
dstvideo.com
lojamegasolucao.store
alsemenov.online
turkishtutorials.com
bonngoecapital.com
markline-gbg.com
emasterysuccess.com
photographybydolores.com
adanisantasi.com
pestrelief.xyz
thailandland.net
comocobrarcontarjeta.com
adaiahsboutique.com
gourmetvegan.biz
baowuenergy.com
Targets
-
-
Target
DO854.exe
-
Size
720KB
-
MD5
bcb6b1075cf6afcf43d06046b3c9ee3e
-
SHA1
0062dbb25b586cd8e20cc79e309c1087ea6f055f
-
SHA256
a9ab19b5e80ce04548b75d379c494d3113f71dfa81afaf23b512e7ee23ef6667
-
SHA512
f088debbb62d3d07f0e0f186849de585ccc9f4ebff3402b98c0a473c0a23a4da635d3b0a592c88c2dc3b65896ecf0b5b40886576720110d50f37f074f867c2a6
-
Formbook Payload
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Suspicious use of SetThreadContext
-