General
-
Target
PO 800A3E4.exe
-
Size
962KB
-
Sample
211025-k9l38sghap
-
MD5
d13b3ff3dfdab0ced5ea88729756afd6
-
SHA1
51ceb5fb8e95c355ee3482e3d3f2c5d678203912
-
SHA256
49609c0487ceeec0771547efd9277b01f494be83549bc0245330672ee962c50c
-
SHA512
ab1e9cd76c813462678cbce85623ea31d9e8e379cd7d069f0fb6b1231795fa35cf6e2e0a8ec498f7e5a2d6a9682a9b091a46fbedd7ba5d5d0456e7fd6adeb0ee
Static task
static1
Behavioral task
behavioral1
Sample
PO 800A3E4.exe
Resource
win7-en-20211014
Malware Config
Extracted
formbook
4.1
c249
http://www.sarahnicolenadler.online/c249/
yourbocatubs.com
windutshop.com
kevinellis.email
hzjiya.com
theaethereal.com
charmteesgift.com
tarinikalingarayar.com
thefacesiseek.com
tehuentecnewmcc.com
xn--80ajamkdph6ax.xn--p1acf
gmodwonderlandrp.com
sincerelyenaj.com
youtuan001.com
hekimalandsurveyors.com
madhatterathletics.com
09ex.com
yogrammyraps.com
analytico-australis.com
yourhome403.com
downtown-annapolis.net
lianl520.com
freestory.xyz
spindlernd.com
emilcardoni.store
surpmel.xyz
e-bilder.com
fuxiao.city
watchmework.pro
devonzzz.com
adamandlily.com
accountsllc.net
mobilespylog.com
premiummainecoonkittens.com
ploe9jw.xyz
paxjusticia.com
carmensiebold.com
deai-guidance.com
mourabugigangas.com
jimomiyalove.com
agilehealthonsurance.com
strikersfashion.com
n2y2english.com
empressianvh.com
nextgentech.computer
milanmajesticfantasys.com
apademod.com
malibuglasses.com
snakeviper.com
thaysflor.com
8332832.com
5sensequilibre.com
mildredmedina.com
abusablyg.com
6c5-t8av.biz
larealestateinvestment.com
xn--d1abknrhaemv.xn--p1acf
delegation-france.com
leandatax.com
gxtrade.online
threestepsfashion.com
cruise.insure
loualied.com
sodo6642.xyz
greaterpittsburghpainrelief.com
Targets
-
-
Target
PO 800A3E4.exe
-
Size
962KB
-
MD5
d13b3ff3dfdab0ced5ea88729756afd6
-
SHA1
51ceb5fb8e95c355ee3482e3d3f2c5d678203912
-
SHA256
49609c0487ceeec0771547efd9277b01f494be83549bc0245330672ee962c50c
-
SHA512
ab1e9cd76c813462678cbce85623ea31d9e8e379cd7d069f0fb6b1231795fa35cf6e2e0a8ec498f7e5a2d6a9682a9b091a46fbedd7ba5d5d0456e7fd6adeb0ee
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-