General
-
Target
boleto de pagamento.exe
-
Size
506KB
-
Sample
220131-sb6nzshdhk
-
MD5
b62ac36e1344b06a56b74369bc2b7dab
-
SHA1
ee05f5427401b69c4881cfcf9ab408307eda30a4
-
SHA256
d22129107a8e45e8ceb11ea395c1279d4617d37a5846841b35ae06c6c08e170c
-
SHA512
ce39fb78a39b43625495b686e9fa53d350e77b79efca59dca695f798c35c8e52b733de36c6ceeb986591855519c69f05d6c2c7c4e176c07a51a98d79d0373826
Static task
static1
Behavioral task
behavioral1
Sample
boleto de pagamento.exe
Resource
win7-en-20211208
Malware Config
Extracted
formbook
4.1
gn27
perilunevc.com
kantogaming.com
stageyor.online
jixsux.site
dingmei2020.icu
savagesupplyco.com
deadstockllc.com
leyandfey.com
zjn22558800.com
projectupskill.net
outliersresearch.com
spaced.community
zschengbangzx.com
5gxzxxtax-ety7f.biz
iq0xe.com
6388xp9xg9k.com
hengyungdzz.com
retrosale.com
echt.global
canceltotalav.com
healthandwealthacademy.com
sundaymailonline.com
neoboss2022.biz
rexstores.store
doorkid.com
sustainabledigitalnomads.com
asistencia-clientes-24h.site
directorytrees.com
thelocalejastipbeauty.com
yourkms.com
blackeyedsuzies.store
sarafitat.com
veganbroflex.com
xn--adlerbergrsse-rmb8f.com
c9qct.com
yangtufeng.com
dubailivegames.com
fasterthantom.com
diversumrealestate.com
bsnua.icu
accessiblemovements.mobi
junzhishang.com
niharexim.com
wvnin.com
camilluslife.com
worksbyjustinesparks.com
ndekns.com
marvincardenas.com
hightensionart.net
webpowertech.com
annuplus.net
gailbrickmanrealestate.com
hilirselatan.com
travelgabbers.com
syncitymafia.digital
lcsprodutos.com
jtd-immobiliare.com
omm65.com
peakbi.world
ackuo.icu
itlandsocialnetwork.com
thejennymaraghyteam.com
ploykaua.space
escobarchalkco.com
tectoniclondon.net
Targets
-
-
Target
boleto de pagamento.exe
-
Size
506KB
-
MD5
b62ac36e1344b06a56b74369bc2b7dab
-
SHA1
ee05f5427401b69c4881cfcf9ab408307eda30a4
-
SHA256
d22129107a8e45e8ceb11ea395c1279d4617d37a5846841b35ae06c6c08e170c
-
SHA512
ce39fb78a39b43625495b686e9fa53d350e77b79efca59dca695f798c35c8e52b733de36c6ceeb986591855519c69f05d6c2c7c4e176c07a51a98d79d0373826
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-