General
-
Target
Scan007.js
-
Size
2.4MB
-
Sample
211026-lhm2wshah4
-
MD5
c5c9afb0a28b09453c8460d20db26159
-
SHA1
c8ca7d5879158942102b42d57d597189a0485a27
-
SHA256
9d90d70b8ff4f7620d8f1618718db8561dfa5d375a3c5fbb00dadbeb51f1456e
-
SHA512
692a2bba8a4d294e2be537d93fbde8172282adc9a927470615c0756b33671fde520b06141e9f88abfb5855315c4ad56484017d15b8e7f09109d46a9abed49c28
Static task
static1
Behavioral task
behavioral1
Sample
Scan007.js
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
Scan007.js
Resource
win10-en-20211014
Malware Config
Extracted
formbook
4.1
my7g
http://www.alibabasite.com/my7g/
pcbdscience.xyz
askselection.online
sk.supply
k4financialservices.com
dentafac.com
solutionsoutlet.net
tifournae.quest
officialjus.com
soy-salud.com
oilspe.com
treeguyphx.com
minirilla.com
receitasgostosinhas.com
ecoracing.tech
ifootballbootspro.com
inktechmedia.com
52yongle.com
golf-for-gold.com
acunbilgi.com
fagiroerde.quest
thebodyrack.com
candycaneshoes.com
nuanceinterpretation.com
capsulas-natural.com
tourpos.site
thundivillage.com
behfiliilliill.xyz
myaceviement.com
sitajour.com
muabanquabieu.com
wrkrg.info
a1-a2-ehliyet.xyz
fabricadesoftwares.com
nayainformatics.com
meiouya8.com
allestalub.xyz
imageuploadpro.com
queenb.media
unixem.xyz
metaverselayer.com
sonnuoccamau.com
alleinerziehend.love
fifsee.com
ironguardconsulting.info
tesladrops.space
opticsofsharedspaces.com
kk88126.com
arizonaarmcar.com
meredithandlance.com
scotipatria.com
5gb1.com
kozacms.com
client-info.online
qube.site
jesand.com
noviembreproject.com
dekolijubu.rest
businessinindonesia.com
cdkyhxaa.top
cafedetime.com
whosaidwhatwhere.com
paula-salon.com
superfoodgreece.com
sherosmag.com
Extracted
wshrat
http://137.184.6.37:7121
Targets
-
-
Target
Scan007.js
-
Size
2.4MB
-
MD5
c5c9afb0a28b09453c8460d20db26159
-
SHA1
c8ca7d5879158942102b42d57d597189a0485a27
-
SHA256
9d90d70b8ff4f7620d8f1618718db8561dfa5d375a3c5fbb00dadbeb51f1456e
-
SHA512
692a2bba8a4d294e2be537d93fbde8172282adc9a927470615c0756b33671fde520b06141e9f88abfb5855315c4ad56484017d15b8e7f09109d46a9abed49c28
-
Formbook Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-