General
-
Target
SWIFT COPY.LZH
-
Size
480KB
-
Sample
211029-jr5l7ahfcj
-
MD5
02be7f91d14bc87466f20caf24177c03
-
SHA1
42e07aba2a184e70a8560fcce653f9528cfb7f25
-
SHA256
c2c9cb3c22b2f91e1d4c8f2df369592c49074f6094a91b80f79da0f54671cd83
-
SHA512
1ecc670c015e0a720f1b998a273aaafff88d10528ee7bc54f36f41a05023459dc95353e302637f33b8c3d19c70e74d68a5b95677ce89c5cd8145955088fcd64f
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT COPY.exe
Resource
win7-en-20210920
Malware Config
Extracted
formbook
4.1
ob7y
http://www.metanewsroom.net/ob7y/
ipsdjf.com
mlphntec.com
restaurant-day.store
writeramylong.com
flokigamefi.com
usetianyi.xyz
punishstrikebreaker.quest
ericnfleming.com
dhhwtieen.xyz
milfhackers.com
fewefie.store
pithstsdiet.store
kirsten-hemmerich.com
casinolopoca.com
sigag.xyz
geilepoes.com
metawhatsapp.art
sarjin.xyz
toprabatte.net
lotofbrave.club
ladydunyasi.com
oeooaoio.xyz
ifarh.com
geovaluablehack.com
heatherwoodrealestate.com
788027.com
groweth2gloweth.com
corryandbee.com
chatech.community
defholdingsus.com
gymandsports213.sbs
safaknet.com
rnisk.store
yhsps.com
taxlawyeral.com
liberiathelandofreturn.net
beniclothingstore.com
onecashadvance.com
metawhatsapp.delivery
chseovx.xyz
fiftyix.com
ambassadorbed.com
doktorhelp.com
memoryck.com
ceto21.com
zomerubo.rest
tyoutrannyvidep.com
3cbzfhhx5.com
cryleo.com
thebigass.online
ofd-trade-sender.com
elchinazizov.com
shakilimam.com
soporhojecast.com
reyestacosrestaurant.com
supdeszka.com
kredit-option.com
sharonallenart.com
destockage-international.com
immediate-edge-pl.xyz
jmsjszc.com
mojuwangluo.com
tr4ders.com
zilingodigitize.com
Targets
-
-
Target
SWIFT COPY.exe
-
Size
966KB
-
MD5
09ea55fda689169d22f33a6a23de5832
-
SHA1
9889ea9b471b8b37e059354bfa4650963bd63867
-
SHA256
2cbd7b218fee7aaff31980c7f2bb3e42e08471518483071be365d4a36df2e59d
-
SHA512
1c62f2f23921b37506a4323fbce9efd304f02dcf8539364240beef081840bd0cbc38fc6874f7e42e14673a0611d3f594c37d1e9839e2e3f59f3aeab2980752f4
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-