General
-
Target
dllhost.exe
-
Size
448KB
-
Sample
211020-mz9snahhaj
-
MD5
c78d5e89ebecb4d88d3ab36bc47fd7ba
-
SHA1
476733e0eb88a9dce2a65200c23ddd0d5f2b3496
-
SHA256
9b6b00b331ea48d5477fbd0ec6e168407dcec59c758eb797c9672d2f74dba12a
-
SHA512
a4de582e5f599ad11c60dbdb7e7ded18c004f956ec84eb379f30ebd1e83eb3fe938fab821038dcf6c1dff839b329ff85ab556fd75f54e70e332ff25415ddfddb
Static task
static1
Behavioral task
behavioral1
Sample
dllhost.exe
Resource
win7-en-20211014
Malware Config
Extracted
formbook
4.1
kzk9
http://www.yourmajordomo.com/kzk9/
tianconghuo.club
1996-page.com
ourtownmax.net
conservativetreehose.com
synth.repair
donnachicacreperia.com
tentfull.com
weapp.download
surfersink.com
gattlebusinessservices.com
sebastian249.com
anhphuc.company
betternatureproducts.net
defroplate.com
seattlesquidsquad.com
polarjob.com
lendingadvantage.com
angelsondope.com
goportjitney.com
tiendagrupojagr.com
self-care360.com
foreignexchage.com
loan-stalemate.info
hrsimrnsingh.com
laserobsession.com
primetimesmagazine.com
teminyulon.xyz
kanoondarab.com
alpinefall.com
tbmautosales.com
4g2020.com
libertyquartermaster.com
flavorfalafel.com
generlitravel.com
solvedfp.icu
jamnvibez.com
zmx258.com
doudiangroup.com
dancecenterwest.com
ryantheeconomist.com
beeofthehive.com
bluelearn.world
vivalasplantas.com
yumiacraftlab.com
shophere247365.com
enjoybespokenwords.com
windajol.com
ctgbazar.xyz
afcerd.com
dateprotect.com
northeastonmusic.com
fourwaira.com
forschungsraumtheater.com
islameraloke.com
mavericksone.com
whguideinfrared.com
akomandr.com
experts-portail.com
ambassadorworldnews.com
case-kangaroo.com
theglobalbusinessmentor.com
igforoldpeople.com
royalglossesbss.com
merxeduct.com
Targets
-
-
Target
dllhost.exe
-
Size
448KB
-
MD5
c78d5e89ebecb4d88d3ab36bc47fd7ba
-
SHA1
476733e0eb88a9dce2a65200c23ddd0d5f2b3496
-
SHA256
9b6b00b331ea48d5477fbd0ec6e168407dcec59c758eb797c9672d2f74dba12a
-
SHA512
a4de582e5f599ad11c60dbdb7e7ded18c004f956ec84eb379f30ebd1e83eb3fe938fab821038dcf6c1dff839b329ff85ab556fd75f54e70e332ff25415ddfddb
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-