General
-
Target
PO 0131.exe
-
Size
601KB
-
Sample
220131-m1n8cahacn
-
MD5
eb437cbf64c34aebc51d6fd32ceec985
-
SHA1
2a1d8901240f6079da9c6978aabb658d55114d12
-
SHA256
3d4e25f876b2007b8b03a1d79109a52fcb5602644fb4554eb065f97853daa5de
-
SHA512
af5a6a5c4479ac2a5dc6988d8a283ff022914347159440bb8f292fa426253cb6eefe67809701eb4996de4f92a85e933003796669523cd99500f5337e547d9d38
Static task
static1
Behavioral task
behavioral1
Sample
PO 0131.exe
Resource
win7-en-20211208
Malware Config
Extracted
formbook
4.1
je16
antonavt.com
sdfvlog.xyz
xn--arbetslivsaktren-ywb.com
propelcolor.com
uniqueclsssiccars.com
colorbells.com
synjive.com
cloudymellows.com
walltage.com
qterps.com
kezorup.online
soakedindelight.online
thefirstgroupscam.biz
miclanka.com
mwm-security.com
trinksaifenradiodocumentary.com
spineklinik.com
javacodecafe.com
groovyrelease-toknowtoday.info
ventadesillasymesas.com
metaheaven.global
supershhhbros.com
tradecardsbtz.com
parcel-alert-redelivery.com
manoncollinet.com
yfsallegiance.com
my12127.com
connectedmk.com
m7ssucx.xyz
chefjeffrecipes.com
tgogziae.com
xu7d7mfh6fht.xyz
cdamanagementservices.com
tampanazareno.com
albanybestbuyers.com
cowboychannellpus.com
dreamyhousewife.com
wu8jvohkp12w.xyz
mohaisen.xyz
s-h-a-h.com
hainanmizhi.xyz
hypedrize.com
77hub.cloud
phxpowdercoating.com
vozeestore.com
infostate.store
woshinidie1990.com
riskfreeenergy.com
southernfreelancersph.com
smithstores.net
cryptopal.xyz
xk8abxci6ogf.xyz
explainersadvids.team
ponpesihsaniyah.com
szabossteakandseafood.com
willtuckfinancial.com
unitedwii.com
thenftlotterys.com
599qu.com
threegalasdesigns.com
bedplot.xyz
liquidministry.store
amazingfactsabouteverything.com
wofdex.com
wakilin.com
Targets
-
-
Target
PO 0131.exe
-
Size
601KB
-
MD5
eb437cbf64c34aebc51d6fd32ceec985
-
SHA1
2a1d8901240f6079da9c6978aabb658d55114d12
-
SHA256
3d4e25f876b2007b8b03a1d79109a52fcb5602644fb4554eb065f97853daa5de
-
SHA512
af5a6a5c4479ac2a5dc6988d8a283ff022914347159440bb8f292fa426253cb6eefe67809701eb4996de4f92a85e933003796669523cd99500f5337e547d9d38
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Sets service image path in registry
-
Deletes itself
-
Suspicious use of SetThreadContext
-