General
-
Target
ROTONDI-NEW ORDER PT004.exe
-
Size
250KB
-
Sample
220125-rmtywsghfq
-
MD5
f536635d5e97e42c2094f8b55a1c6c28
-
SHA1
931da46b998bb65a6a08a01e90d41689653d4103
-
SHA256
baef60b7ed8a0286e276a7b7d76c7a9d52a8a77c2688b0d2b2cc1d886954b1a0
-
SHA512
07eccfbe1c8a9753eeee8e18b6d3f5de2e41f7c2e01f6da9234aba0b63985b20dac15061cda990023d4f905bbefa309edf192d157d1f19193601b9b7946a80a3
Static task
static1
Behavioral task
behavioral1
Sample
ROTONDI-NEW ORDER PT004.exe
Resource
win7-en-20211208
Malware Config
Extracted
formbook
4.1
a0p6
taxlaws.info
porn-star-depot.com
cpf-comptes.com
metropark.xyz
transformselfhypnosis.com
wu8g8aerxgjr.xyz
jingzhouhan.net
granicors.com
monografiaonline.com
4972hillcrestdrive.com
gridironagriculturist.com
xtrasomething.com
scbndirects.com
agglutinatesmicromanagers.xyz
butsuyokulog.xyz
parttimejobsinuk.site
kriylzf.xyz
sinashakib.com
hpessoa.website
interscopealbums.com
bathandlicious.com
jrowlandmarketing.com
okforbk.com
xjbyctc.com
vitospark.com
threewisewords.com
antonioloiodice.com
fastvpnreward.com
baamusa.com
yanatransportationsrvs.net
ol0vdw.xyz
climbingtreehollow.com
barterlinealarmselect.com
integrant.xyz
nepalgci.com
wu8j3tx49l5a.xyz
surpmel.xyz
autocarbying101.com
otakusofneverland.com
pawsitiveclosings.com
h9220.com
newshaiya.com
progressiveprizes.com
groovybingo.com
iconuncle.com
icon-club-dxb.com
ruokanetti.com
cooperjss.com
governorperdue.com
brfujdersomngreqt.com
bcubnk.com
digitalmedicinetechnologies.com
logiqtrading.com
anti-tfboys.com
aterliercarbon.com
wesovereign.com
wein-quadrat.com
www37118.com
morethanalittlemarley.com
coslogenex.com
bondic-listjournal.com
choicesidownloadnv.com
ys688.xyz
nftrack.xyz
freedomwoofpackcom.com
Targets
-
-
Target
ROTONDI-NEW ORDER PT004.exe
-
Size
250KB
-
MD5
f536635d5e97e42c2094f8b55a1c6c28
-
SHA1
931da46b998bb65a6a08a01e90d41689653d4103
-
SHA256
baef60b7ed8a0286e276a7b7d76c7a9d52a8a77c2688b0d2b2cc1d886954b1a0
-
SHA512
07eccfbe1c8a9753eeee8e18b6d3f5de2e41f7c2e01f6da9234aba0b63985b20dac15061cda990023d4f905bbefa309edf192d157d1f19193601b9b7946a80a3
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-