General
-
Target
Scan00350.js
-
Size
3.0MB
-
Sample
211116-xr23ysfag2
-
MD5
799061874d6078ee9ed3fe7a336f3f57
-
SHA1
a2c7d54b505d3dc2407cfa43356e9d630de6a69f
-
SHA256
8565a460a65f0e087c1e1e59d1dbeb030fb7c7aa0cf2c6d758d37fddcdb8ef14
-
SHA512
c7d0dc37e0f1742a32e5f2c860391f533831cc675c02082927e86487337aac99a54a2fb7a34964766ca936a6726d61d0d47e6bb772003d959ccd471e4950b267
Static task
static1
Behavioral task
behavioral1
Sample
Scan00350.js
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
Scan00350.js
Resource
win10-en-20211104
Malware Config
Extracted
formbook
4.1
my7g
http://www.alibabasite.com/my7g/
pcbdscience.xyz
askselection.online
sk.supply
k4financialservices.com
dentafac.com
solutionsoutlet.net
tifournae.quest
officialjus.com
soy-salud.com
oilspe.com
treeguyphx.com
minirilla.com
receitasgostosinhas.com
ecoracing.tech
ifootballbootspro.com
inktechmedia.com
52yongle.com
golf-for-gold.com
acunbilgi.com
fagiroerde.quest
thebodyrack.com
candycaneshoes.com
nuanceinterpretation.com
capsulas-natural.com
tourpos.site
thundivillage.com
behfiliilliill.xyz
myaceviement.com
sitajour.com
muabanquabieu.com
wrkrg.info
a1-a2-ehliyet.xyz
fabricadesoftwares.com
nayainformatics.com
meiouya8.com
allestalub.xyz
imageuploadpro.com
queenb.media
unixem.xyz
metaverselayer.com
sonnuoccamau.com
alleinerziehend.love
fifsee.com
ironguardconsulting.info
tesladrops.space
opticsofsharedspaces.com
kk88126.com
arizonaarmcar.com
meredithandlance.com
scotipatria.com
5gb1.com
kozacms.com
client-info.online
qube.site
jesand.com
noviembreproject.com
dekolijubu.rest
businessinindonesia.com
cdkyhxaa.top
cafedetime.com
whosaidwhatwhere.com
paula-salon.com
superfoodgreece.com
sherosmag.com
Extracted
wshrat
http://140.228.29.190:7121
Targets
-
-
Target
Scan00350.js
-
Size
3.0MB
-
MD5
799061874d6078ee9ed3fe7a336f3f57
-
SHA1
a2c7d54b505d3dc2407cfa43356e9d630de6a69f
-
SHA256
8565a460a65f0e087c1e1e59d1dbeb030fb7c7aa0cf2c6d758d37fddcdb8ef14
-
SHA512
c7d0dc37e0f1742a32e5f2c860391f533831cc675c02082927e86487337aac99a54a2fb7a34964766ca936a6726d61d0d47e6bb772003d959ccd471e4950b267
-
Formbook Payload
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Drops startup file
-
Loads dropped DLL
-
Accesses Microsoft Outlook accounts
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-