General
-
Target
NEW ORDER.scr
-
Size
783KB
-
Sample
220126-gqchxaheak
-
MD5
8de332d7f57396f7e6f33e212d33480b
-
SHA1
884ab2b85eb222e6ebb32480d05b2f2e7c17bc22
-
SHA256
24c3816b1d93a87af33e2ac0fe32e6936578e220642441d8895df2f768745244
-
SHA512
66f1e657b56c328f3173d7902785883424510f7a039c55887c471b074f9870ec7294a7fa2deb8c6ad4096e0a89eb76c136f98640be124f56452ad0ddaf26b0ce
Static task
static1
Behavioral task
behavioral1
Sample
NEW ORDER.scr
Resource
win7-en-20211208
Malware Config
Extracted
formbook
4.1
s16r
kellieroysellsnc.com
valleylowvoltage.com
mltuo900.xyz
visitingpuntacana.com
weiwushi.com
austintechjob.com
rxstarcbd.com
shopstudioesi.com
filetto-server.xyz
relianceltdbnk.com
unethical.world
yedd.store
esthershhs.com
magaddis.com
scenicdrivetours.com
123gest.com
2020mortagelifeinsurance.com
faceinle.com
integritymarking.com
alfatoto.xyz
nwebcam.com
wu8hx5cpgl3i.xyz
shiningbellsscrubs.com
visitorego.com
101-bg.com
blaccforestsociety.com
caremeinternational.com
devanharle.com
d2h7e3q.xyz
excaliburteacher.com
tatouagejaponais.com
gallematias.com
sobacoffee.com
thetravelbanana.com
artandmag.com
swoutfit.com
pecintaotomotif.com
realkezorup.xyz
shoplitumi.com
taylorhudak.net
prime-links.net
openvmsdatabasemigration.com
digitaltradingforex.com
vocenoazulnovamente.com
ertyuhjul.xyz
yunshangzhongwen.com
psalm686.com
breastfeedcare.com
matjaralmona.com
insurancesalesreps.com
octets.biz
reviewopenaccess.biz
parvatakrachka.com
vector-center.xyz
hatchvi.com
hmamah.com
a-home4you.com
lq-safe-keepingyuchand91.xyz
amplexus.xyz
h3ssel.xyz
aims-colorado.com
clickforrichesvision.com
belcantato.com
minidentalimplantsdaytonoh.com
mlniubi.xyz
Targets
-
-
Target
NEW ORDER.scr
-
Size
783KB
-
MD5
8de332d7f57396f7e6f33e212d33480b
-
SHA1
884ab2b85eb222e6ebb32480d05b2f2e7c17bc22
-
SHA256
24c3816b1d93a87af33e2ac0fe32e6936578e220642441d8895df2f768745244
-
SHA512
66f1e657b56c328f3173d7902785883424510f7a039c55887c471b074f9870ec7294a7fa2deb8c6ad4096e0a89eb76c136f98640be124f56452ad0ddaf26b0ce
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-