General
-
Target
ARRIVAL NOTICE AND IMPORT PERMIT.lzh
-
Size
55KB
-
Sample
211015-vvhglsbheq
-
MD5
0a7506eb8f7a9876b2a4ff1ae5465e57
-
SHA1
64217c729ba6de92d2474c2dbfcb131cb49ec998
-
SHA256
24bcc08ffd3830682dbd3a11790e5daa04c1da567ab2cc3302ae5305fa2e47ca
-
SHA512
52f474ef29356a92f8971aed4a43cce3f42e2962d3a59c9b5d3447db26f88ae8857e33f4e4cf0e956ffe5f45def08afe30efe1d84b29efab04c8bb43650454f2
Static task
static1
Behavioral task
behavioral1
Sample
ARRIVAL NOTICE AND IMPORT PERMIT.exe
Resource
win7-en-20210920
Malware Config
Extracted
formbook
4.1
s0vc
http://www.xn--289an7fmsbe2rud327e.com/s0vc/
redstonemanagers.com
graffitiparktx.com
aliturk.com
asicsmalaysiasale.com
primetimehandyman.com
logjed068.xyz
rusicedream.com
rickcaronmuseum.com
softwarebuynow.com
buddysbarkery.com
ysm99.com
rtetrgwgre.xyz
97020.xyz
utahblind.site
hiyym.com
rohukager.xyz
vcstudentwork.com
oxfordautomotivepa.com
salibrown.com
tekosocks.com
creekincrystals.com
clairewashere.site
emiratli.xyz
eusoufernandorocha.com
regionalleadmap.guide
firstselectindia.com
megamodamaster.com
ritmicatop.com
hextellconstructions.com
axismath.com
tadowequsotot.rest
hw0745.com
a-great-online-mba-es-lagdn.fyi
nazlialisverissitesi.com
bolacn.com
thegroundknowledge.com
brooksuper.com
readyneed.net
gentciu.com
trywelles.website
colab.farm
taylormadedfwhometeam.net
gosh-opium.club
hayyjameel.cloud
898192.com
pwnedpasswordsnft.com
pastormarkusgh.com
toonkor.golf
ambientmusicartist.com
chrisforjp.com
shzd2.com
lonestarbiologics.com
thinktimelogisticsllc.com
472291.com
heidoulife.com
lisamf.xyz
captainamberbeard.net
csishj.com
perfectnethost.com
abovethebarn.net
everhuntingabandon.xyz
satima.net
xn--jj0bs99byvj.com
smitheating.com
Targets
-
-
Target
ARRIVAL NOTICE AND IMPORT PERMIT.exe
-
Size
136KB
-
MD5
14286f5d33d5d0db8c2cf853588105de
-
SHA1
0054237732dfb296e5b5429886a057e4374c1515
-
SHA256
0bf8feda9e131c4b5bc7b17218880c3a492f702fa9fd6dc9d10f5a62a72aa08a
-
SHA512
f8169fc9ed525a268dca75f6e1e836fae00dabe3876aaf4766d21cf8d883fa91f0e4a6c8c9fcee3daec6ac6db0100614e7bbf0720b9015cd98015043dafe627d
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Deletes itself
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-