General
-
Target
Draft_shipping_document.lzh
-
Size
98KB
-
Sample
220314-h5h5nsfgaj
-
MD5
06d7ac6f214b0343962ace85e1c40e88
-
SHA1
d022031b3b4b25d9a9587483de0a75089708a206
-
SHA256
27b950f8b84e372d1b9d0fd7b918cb633eaa2556ef47c63baf0b916f04f5bffd
-
SHA512
4fcb6de9a5f005d7081873c4b47deed11162523c844175361efce57132224c3a662df7c21b0973bce5e69cc8659c821b275ec5d723949f75c1dfedd123a24e7c
Static task
static1
Behavioral task
behavioral1
Sample
Draft_shipping_document.vbs
Resource
win7-20220310-en
Behavioral task
behavioral2
Sample
Draft_shipping_document.vbs
Resource
win10v2004-en-20220113
Malware Config
Extracted
formbook
4.1
k6sm
mingshengjewelry.com
ontimecleaningenterprise.com
alyssa0.xyz
ptecex.xyz
dukfot.online
pvcpc.com
iowalawtechnology.com
nestletranspotation.com
mysithomes.com
greenlakespaseattle.com
evofishingsystems.com
unilytcs.com
ordemt.com
dentalbatonrouge.com
pictureme360.net
chalinaslacatalana.com
newmirrorimage.xyz
pinklaceandlemonade.com
rapinantes.com
yzicpa.com
josephosman.com
robsarra.com
shumgroup.net
flooringnewhampshire.com
onceadayman.com
audiomacklaunch.xyz
hurryburry.com
golfvid.info
tutortenbobemail.com
tatlitelasorganizasyon.com
tqgtdd.space
classicalruns.com
xx3tgnf.xyz
galwayartanddesign.com
qidu.press
crypto-obmennik.com
dn360rn001.com
tridim.tech
phamhome.com
mediadollskill.com
loveatmetaverse.com
electric4x4parts.com
azulymargarita.com
isadoramel.com
rubyclean.com
officiallydanellewright.com
wu8d349s67op.xyz
detetivepyther.com
wondubniumgy463.xyz
registry-finance3.com
ultracoding.com
open-4business.com
supremelt.online
pangfeng.xyz
morneview.com
northfloridapsychic.com
kg4bppuh.xyz
friv.asia
epsilonhomecare.com
hbina.com
beachhutprinting.com
sophoscloudoptix.net
managemarksol.site
palestyna24.info
usyeslogistics.com
Targets
-
-
Target
Draft_shipping_document.vbs
-
Size
805KB
-
MD5
3d283fd545af947a47e6953d6335b98a
-
SHA1
331b837d008efc12c0702b290c747581583169fd
-
SHA256
280925849cd341c089c250b6609a0cab91026578f98bc2c45cb924dc9c8967a5
-
SHA512
c954754254c31cf881bb96efc601b683ae9ba75a90054626186ac9392958bc5cb3bdc3b1348df3885f998002c0a3c523fd744b29bc149b9894bb04d480bf602c
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Adds policy Run key to start application
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-