General
-
Target
Order_CF00128.exe
-
Size
249KB
-
Sample
220131-spl7haheem
-
MD5
3354c90e93804da5b59c5e037bde0e0e
-
SHA1
ed6b364621233b681788f4598ff17268d15c2729
-
SHA256
46eb08598db36bbd56aa97a864deb6e81b1a4f335cab69c02a163c7621f1d7e4
-
SHA512
fb72d0af999edc22712e517fa850f7ef22494734835ae1873abff5610ae890518479232c1cd41365b5fc8f04613b0570d45362e9c1c479e9a1565c38555c5b4f
Static task
static1
Behavioral task
behavioral1
Sample
Order_CF00128.exe
Resource
win7-en-20211208
Malware Config
Extracted
formbook
4.1
os16
nautic-experts-hageboelling.com
fullharvestfundraising.com
xbdsm.club
duocaterers.com
prizebuddy.club
nillprive.com
firebreathingpenguin.com
buxledger.com
annual-journals.com
mydemosite0.com
noaoka.com
eblaghe-iran.xyz
globalyuncang.com
jacqueson-autocars.com
asiafinances.com
howtomakearesume.space
modernwarfaresecrets.com
dualamaquinaria.com
thrili.com
gracing-up.com
jcrealtydesigns.com
southaustinmarket.com
dp-yszxwbhc.com
cryptolux.store
yourtechyadda.com
yogamat-turban.com
fykori.xyz
bitherders.com
strelingcollectibles.com
undershieldz.com
youcarboneutral.com
meetjaykinder.com
wicked-smokes.com
wy-bride.com
dunespro.com
sallyandterry.com
theamalfiswim.com
eleynworld.com
dreamsinbloomphotography.com
anaccommodation.com
slingactivt.com
rxd-ereecd.com
immovableproperty.online
ramziflowers.com
anthropophony.com
uncle.finance
ialife.info
kennascookies.com
meta-medical.info
sexcommittee.com
royalfountainlogistics.com
thedefinitionteam.store
dragonflyessence.com
momubeauty.com
alraedest.com
alcmjd.xyz
massagecon.com
nicoletian.com
rapslearning.online
dlapi.xyz
52economics.com
neurochirurgie-eisner.com
mbbfocean.xyz
greenlightiim.com
foodgw.com
Targets
-
-
Target
Order_CF00128.exe
-
Size
249KB
-
MD5
3354c90e93804da5b59c5e037bde0e0e
-
SHA1
ed6b364621233b681788f4598ff17268d15c2729
-
SHA256
46eb08598db36bbd56aa97a864deb6e81b1a4f335cab69c02a163c7621f1d7e4
-
SHA512
fb72d0af999edc22712e517fa850f7ef22494734835ae1873abff5610ae890518479232c1cd41365b5fc8f04613b0570d45362e9c1c479e9a1565c38555c5b4f
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Sets service image path in registry
-
Deletes itself
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-