General
-
Target
Orden N° 067.exe
-
Size
247KB
-
Sample
220127-qcn48adbcq
-
MD5
b36ce18bb9f5d208ebef0620b525baf7
-
SHA1
045951540bd833078efb46ee7a38af86dac7764f
-
SHA256
cd4537fc71b075714c040194ba6caba7b0d1bf8b8614f0d7b1868f4941e4cb06
-
SHA512
755732c0d6c89180f9d7fa08361b221011dd014938abc1ee65ce62062ba22422fa74d29cabe6e4ca35093911788d622445bced9ea56659fd29c2e30834bee493
Static task
static1
Behavioral task
behavioral1
Sample
Orden N° 067.exe
Resource
win7-en-20211208
Malware Config
Extracted
formbook
4.1
os16
nautic-experts-hageboelling.com
fullharvestfundraising.com
xbdsm.club
duocaterers.com
prizebuddy.club
nillprive.com
firebreathingpenguin.com
buxledger.com
annual-journals.com
mydemosite0.com
noaoka.com
eblaghe-iran.xyz
globalyuncang.com
jacqueson-autocars.com
asiafinances.com
howtomakearesume.space
modernwarfaresecrets.com
dualamaquinaria.com
thrili.com
gracing-up.com
jcrealtydesigns.com
southaustinmarket.com
dp-yszxwbhc.com
cryptolux.store
yourtechyadda.com
yogamat-turban.com
fykori.xyz
bitherders.com
strelingcollectibles.com
undershieldz.com
youcarboneutral.com
meetjaykinder.com
wicked-smokes.com
wy-bride.com
dunespro.com
sallyandterry.com
theamalfiswim.com
eleynworld.com
dreamsinbloomphotography.com
anaccommodation.com
slingactivt.com
rxd-ereecd.com
immovableproperty.online
ramziflowers.com
anthropophony.com
uncle.finance
ialife.info
kennascookies.com
meta-medical.info
sexcommittee.com
royalfountainlogistics.com
thedefinitionteam.store
dragonflyessence.com
momubeauty.com
alraedest.com
alcmjd.xyz
massagecon.com
nicoletian.com
rapslearning.online
dlapi.xyz
52economics.com
neurochirurgie-eisner.com
mbbfocean.xyz
greenlightiim.com
foodgw.com
Targets
-
-
Target
Orden N° 067.exe
-
Size
247KB
-
MD5
b36ce18bb9f5d208ebef0620b525baf7
-
SHA1
045951540bd833078efb46ee7a38af86dac7764f
-
SHA256
cd4537fc71b075714c040194ba6caba7b0d1bf8b8614f0d7b1868f4941e4cb06
-
SHA512
755732c0d6c89180f9d7fa08361b221011dd014938abc1ee65ce62062ba22422fa74d29cabe6e4ca35093911788d622445bced9ea56659fd29c2e30834bee493
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-