General
-
Target
Wire-84844663637346665.PDF.vbs
-
Size
75KB
-
Sample
220121-rqp44saadl
-
MD5
2eb1625e8d4e3f9b19ab947d188d0be8
-
SHA1
7aad4e8d8f521d1c36a7468418047c8a5751b7e9
-
SHA256
354529cf4cd5498c64a0c69c6dd9eb8962250542eea7f89a76faf64f5086da35
-
SHA512
7e2f8553d3375d1cfe0132a3abe854a1457f08c1f3c6bfbe730c044fec1a127f3a9405c59b1f620f91ea76b7eb7d68fce78058b68f4a69437d2e08b0879ad517
Static task
static1
Behavioral task
behavioral1
Sample
Wire-84844663637346665.PDF.vbs
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Wire-84844663637346665.PDF.vbs
Resource
win10-en-20211208
Malware Config
Extracted
formbook
4.1
ty13
renatocarrion.com
inadmaa.email
dgsgamer.com
scentsofhome.com
vimeghbrandshop.online
seaxneat.com
10448se147thave.com
msewy.xyz
greekgolden.com
thinktosolve.com
darmadao.com
patriotproperties.info
erwsed.tech
iamanocelot.com
marketinginspiration4.biz
googleprog.com
nz34.com
xu6cotckdwbd.xyz
jimmychenchen.com
kntfashionstore.online
ogusourcing.com
digitalgraz.com
nomiehalth.com
neatoboutique.com
luziaeeveraldo.com
kootenaysewersolutions.com
powerplantsliverpool.com
allinclusiveplaya.com
jldphotograph.com
threedaydeli.com
sv7wgmna.xyz
reformasmod.com
autoconnect.support
hustle1radio.com
thepremiersales.com
transform.guide
awolin.link
sala1.xyz
xn--er-7ka.com
leadthisway.com
bluegrownmx.com
tablewaro.com
ecoprimex.com
gloress.com
khodabavar.com
verhuisdoos.net
accessftlauderdale.com
gorgeousincome.com
jxs6652.com
bioheallabs.com
pdswakl.com
douglasacessorios.com
coincapmjd.xyz
liningning.xyz
buyoutz.site
agvtime.com
homeit99.com
caveatcooperative.com
honeyboxsoap.com
snoringdisorders.com
dianziyanpeijian.com
pcc.life
lookbypc.com
osldjz.com
recountsol.xyz
Targets
-
-
Target
Wire-84844663637346665.PDF.vbs
-
Size
75KB
-
MD5
2eb1625e8d4e3f9b19ab947d188d0be8
-
SHA1
7aad4e8d8f521d1c36a7468418047c8a5751b7e9
-
SHA256
354529cf4cd5498c64a0c69c6dd9eb8962250542eea7f89a76faf64f5086da35
-
SHA512
7e2f8553d3375d1cfe0132a3abe854a1457f08c1f3c6bfbe730c044fec1a127f3a9405c59b1f620f91ea76b7eb7d68fce78058b68f4a69437d2e08b0879ad517
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-