General
-
Target
yryclCpe3QldozN.exe
-
Size
513KB
-
Sample
211021-jbtjzsaghj
-
MD5
28e0a297c93023d0ad2d296b214598b5
-
SHA1
ef10cbec56dc28cba963887050738501419306e6
-
SHA256
cce2edbec8676315b05ba2e2dda2feb9190edb5f217b9824ae58b40a770924fe
-
SHA512
f5f78b83a50a90d4f35208522c7baf30685dd755ecdc78c9245ca7d94643b85797b4041282dd9655a0cc4bc8032211203b1c452999c3ab0ab74b06751211b1c5
Static task
static1
Behavioral task
behavioral1
Sample
yryclCpe3QldozN.exe
Resource
win7-en-20210920
Malware Config
Extracted
formbook
4.1
d7ln
http://www.mottpolis.com/d7ln/
bulut-imza.com
gotastebuds.com
shutupmags.com
clocksport.com
toweryachtcounsel.com
kingcopier.com
pluspersona.com
inchallahe.com
unclonedconsulting.com
ccdt168.com
tonyzheng.xyz
voiceoftheepeople.com
cicapital.xyz
offxpro.com
loyatiproductions.com
makemebuystuff.com
incuba8labs.com
remparka.com
newstft.com
bgame.pro
croniesnft.xyz
petaouchnock.site
gavesett.com
smarthousegroup.net
kkqdqj.mobi
glatdelate.quest
sharpmage.com
penis.today
squidscatter.com
digfinancial.com
imx.fund
bigbet3269.com
leatherlidinserts.net
eyecollection-nishigifu.com
wagyuchefs.com
cafeandbakecestbon.com
appsy.tech
johnmaxwelltam.com
eternity-warm.com
naebidynamic.com
landgrunt.com
chap-immo.com
wgzywz.com
zawovu.com
shortsvault.com
squidgameoutfitsss.com
keaneoil.com
v44881.com
spartanboardgames.com
rotcid.xyz
qvconsultants.com
reinorshine.com
turkeyetrade.com
webcomprei.com
00010shou.com
tiffanyandjose.com
todd4mayor.com
designbydb.com
higherj.com
delicatmnl.com
huamanishop.com
pinkle-store.com
gatewaytothegreatoceanroad.com
felerritst.quest
Targets
-
-
Target
yryclCpe3QldozN.exe
-
Size
513KB
-
MD5
28e0a297c93023d0ad2d296b214598b5
-
SHA1
ef10cbec56dc28cba963887050738501419306e6
-
SHA256
cce2edbec8676315b05ba2e2dda2feb9190edb5f217b9824ae58b40a770924fe
-
SHA512
f5f78b83a50a90d4f35208522c7baf30685dd755ecdc78c9245ca7d94643b85797b4041282dd9655a0cc4bc8032211203b1c452999c3ab0ab74b06751211b1c5
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-