General
-
Target
Quotation-pdf.001
-
Size
426KB
-
Sample
220128-r36mmaeggn
-
MD5
e1fa9ac21b46fd0b7c15ba0861494f6f
-
SHA1
038c0107ddcd0ac782cf1b9e0489183fb71f91d9
-
SHA256
b3a1efab40ba72a79ed8b8cc89b738bbdb356940074aee6983a1b21059baa516
-
SHA512
3e2279e2535266486cfa66fbf321445dd99059981107ea72763fc45c9c76a7fc78decee5809fffd07717b3d2dddf748597f3d02d7f7fa5866e8c9ba86de42668
Static task
static1
Behavioral task
behavioral1
Sample
Quotation-pdf.exe
Resource
win7-en-20211208
Malware Config
Extracted
formbook
4.1
m17y
dental-implants-us-prices.site
eolegends.online
drskinstudio.com
miamivideomapping.com
cqytwater.com
fesfe.net
dlautostore.com
wwwpledge.com
trynutiliti.com
551milesoak.com
jemmetalfab.com
teamtrinitysellsncarolina.com
injurypersonallawyer.com
r3qcf2.xyz
djellaba-boutique.com
t6fwagd.xyz
lm-upto100.com
shyashijz.com
classicbasilicata.com
exactias.com
veocap.xyz
jf-cap.com
oldtraditionstattooparlor.com
egyptshipping.xyz
bdcuhg.com
stecmedia.com
pornvideohall.com
3scy.com
ltmyj.com
supercarniceriasgonvi.com
sdjiahengjixie.com
silvertiaras.com
sedahet.com
peinturefleuri.com
rainfall3d.com
warezhq.com
hsdayp.com
ukhtanytm.com
womensboxing.club
cathayspacific.com
4442tv.com
mekanoshos.com
nomihhealth.com
j3gscd.xyz
kamagranorx.com
hillsidefirm.com
basebastill.com
pureoemo.com
indebtednotable.xyz
odrowiwad.xyz
thenatlali.com
tradeonlink.com
illinimidgets.com
dvtrskgsn.com
efcapcongress.com
girlbest.store
langcustomhomes.net
oncehua.com
corendonnorway.com
streetport.info
3696666.com
ivmmo.biz
doctorfinder.icu
deliriumvery.com
dty191.com
Targets
-
-
Target
Quotation-pdf.exe
-
Size
573KB
-
MD5
43be7a6cfb1c2fae6ad5c9e0440be4f8
-
SHA1
af4be0100e8c2b00ec1d821d72d15174ab2197e4
-
SHA256
0337d7784d4021b8467b2652f8c6ca9703732a0f132a1aebcafae37673db026d
-
SHA512
18a88af955dda3fbfc44a44ee72f8dcd32aefcc1d998316980bb235b485de6b6fee09b1322a5bd863cab5036c6b9b16c6a8aaf30c918ba5862c5b83b29406643
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-