pos.exe

General
Target

pos.exe

Size

454KB

Sample

211021-q7jszsbccl

Score
10 /10
MD5

0082bb1c3ac5dc499f6db3d45de0ab3e

SHA1

90eb55324f4068a4fde1da25ca7a3eff65d17e1e

SHA256

1bb913d6f594107a8c8d4d64f9a3de85c602813d9ad93189b9949fbc8a93aa32

SHA512

e42c5af62527c2193d3f49f93918535b656f9d0a34065657df8273e606405b551e9f939450a134c20c58429951fbe7a27c14e19e66eeee57446349eaf7e30384

Malware Config

Extracted

Family formbook
Version 4.1
Campaign u1bs
C2

http://www.vgmpradio.com/u1bs/

Decoy

ln-safe-keepingmisva4.xyz

rtfh.xyz

awolin.link

metadlf.com

cardboardcasual.com

psicoterapiahablada.com

spaminator.xyz

hnjqzl.top

dentalyinovasi.site

biosynblas.com

zvyk.store

shreevishwakarmaservices.com

showersplash.com

norbert-roth.com

londoncapitaltraders.com

istanbuldonerkebabheroncity.com

realdiscountsnow.com

marlinplumbingwnc.com

magazinadziavane.com

qantv.com

redcardinaldaycare.com

fevxok.com

avp-travaux.com

spielload.com

countrymen.net

loverizzi.online

verbandverse.com

esssc.icu

thealphabrains.com

sleep-lab.pro

fancysquat.com

santasdasd.com

28ssc4.icu

gordonmicah.xyz

readyviewerone.com

242plaza.com

lc-kassel-kurhessen.com

guzram.com

classicitystudios.com

nextvoicetech.com

conectadoseventovirtual.com

chollz.xyz

sdxhbl.com

wilopumps.store

netshopsceilingfans.com

econiq.us

wisconsinfarmstay.com

pharmacie-plaideux.com

kppservices.com

cashprotectionservices.com

Targets
Target

pos.exe

MD5

0082bb1c3ac5dc499f6db3d45de0ab3e

Filesize

454KB

Score
10/10
SHA1

90eb55324f4068a4fde1da25ca7a3eff65d17e1e

SHA256

1bb913d6f594107a8c8d4d64f9a3de85c602813d9ad93189b9949fbc8a93aa32

SHA512

e42c5af62527c2193d3f49f93918535b656f9d0a34065657df8273e606405b551e9f939450a134c20c58429951fbe7a27c14e19e66eeee57446349eaf7e30384

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Formbook Payload

    Tags

  • Deletes itself

  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                    Privilege Escalation