General
-
Target
f7aecc7a4ef038b5b5e8411a61cede47a27545212383efc92dd4f4eaaef05d0f
-
Size
251KB
-
Sample
220201-c2dg5afddp
-
MD5
f82c2c0caa6def6ee8b49cb2f6c46525
-
SHA1
f96ea2fb3231bbf18ca958395443a7edf9db44f9
-
SHA256
f7aecc7a4ef038b5b5e8411a61cede47a27545212383efc92dd4f4eaaef05d0f
-
SHA512
41c0d0b4c592308409a2e098dc6f78cc3082246f581e339c8ae3ed53258aca2755cf6f9e468f3fead3a016d2d87f46d4b26499a29ee1b2ee282dc1c7f622bd1b
Static task
static1
Behavioral task
behavioral1
Sample
OrderMT873.exe
Resource
win7-en-20211208
Malware Config
Extracted
formbook
3.9
pb6
nuygunambulans.com
trfamilydentistry.net
wwwxh8111.com
ljbmh.com
profile-pep.date
planetsaintpete.com
reparmaxpro.com
firstdigital.exchange
alexbriansonwrites.com
violetchampion.rocks
phenomenalcosmicedibles.com
103man.com
iotaoracles.com
heroestotherescue.info
laguiafitness.com
nqwmz.com
hfmywx.com
hanjiayi.ltd
51lashcurler.com
bordacchini.com
evansanddavidsonrealty.info
continuousopo.site
lzj.info
emptyhours.com
apccma.com
stayceface.com
mymapleinn.com
foldableaccessories.com
seattlecontent.site
greenprem.com
gabrielasblog.online
istanbulkece.com
navigatorperiperi.com
registryday.com
brownhecknew.com
junkdisposalnow.link
abf.kim
leathergoddesses.com
ladiesdiscountoutlet.com
xn--g5t448h.top
360iouiou.com
xn--fiqr1yezbf72a.com
xn--ondaterrquea-jbb.com
youtubeumail02.site
paulscrie.com
creativeminddrugs.com
uranaitaiken.com
longzhu.ltd
kilisyerelcicekci.com
asccarpintaria.com
40flogistics.com
lavuesxm.com
blackmovies.mobi
kuwakino-and.com
disastersolarmods.info
pendik-arcelikservisi.com
theblinkwater.villas
pianzidb.com
authenticallurellc.com
leonormartinarquitectura.com
tv18191.cloud
monroetaxiandlimo.info
geoteem.com
1-19hillsroad.com
domaky.com
Targets
-
-
Target
OrderMT873.exe
-
Size
396KB
-
MD5
627180be09dd531fcb5816cd0eea08fe
-
SHA1
4d991b8f61fbb685d54146dcab9a538a231f6270
-
SHA256
3fa9686148804d4c199173b6c6fe96ea61b1b00e4df8b31c3a329efaef07c469
-
SHA512
4f6a45a0b4a7d028a76567bc2798d19a13a014de628f4a9b7af6b297d3351a04f16824784cd721156ab59d78852c87e1a6835f84070a6c859fb3d454fed983e6
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Sets service image path in registry
-
Deletes itself
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-