General
-
Target
Lista de orden_.0927272829229.PDF.zip
-
Size
366KB
-
Sample
220316-v1rx8sdfgj
-
MD5
f614eb3e41163f8e990eeb0235c35dd2
-
SHA1
ee360a6e2aebd65332269d696c1348fdc12f588f
-
SHA256
382db49b891a9d2df05ce4ca1335868fa3cff3896ca905d56c84baa5b28371b0
-
SHA512
5a78e30bacebbe02bd9d2b0b0cb984bf18a13f86d280ba3aef1b6f6dcab9ed559fdb632b673d16e56e91ce2a6c60b134658318aea396b1b6d6e0a883ed2f0b7b
Static task
static1
Behavioral task
behavioral1
Sample
Lista de orden?.0927272829229.PDF.exe
Resource
win7-20220311-es
Malware Config
Extracted
formbook
4.1
3nop
videohm.com
panache-rose.com
alnooncars-kw.com
trueblue2u.com
brussels-cafe.com
ip2c.net
influenzerr.com
rbcoq.com
zzful.com
drainthe.com
sumaholesson.com
cursosaprovados.com
genotecinc.com
dbrulhart.com
theapiarystudios.com
kensyu-kan.com
dkku88.com
tikhyper.com
aztecnort.com
homebrim.com
infinitilamp.com
leelegantflower.com
floor-space.investments
vidasustentavel.online
wholehearteddaughters.com
vipandeep.com
mdwovzrrm.icu
592215.com
academicplumbing.com
bestveganbook.com
theservantleader.com
nazarickdeveloper.xyz
delta-wing.com
girlfriendsgarb.com
sezyz11.com
ca3construction.com
smartswitchhomeloan.net
luckytwo.agency
ministry-of-barbers.com
babbageacademy.com
informationside.com
packapp.net
spacecoasthondaevent.com
thehealthyimmunereset.com
pjcavaliere.info
trebdurham.com
zhixintonghe.com
gon2580.com
dottproject.net
snakby.com
keeponsports.com
debbiewilsondesigns.com
stagingsolutionsgroup.com
forummondialdelamerbizerte.com
garnier.red
tempestchs.com
zpxinxi.com
jam-nins.com
inclusiocg.com
msmenders.com
whachupichu.com
pursemore.com
thebusinessfitclub.com
scootgotti.com
jakesplacebarbers.com
Targets
-
-
Target
Lista de orden?.0927272829229.PDF.exe
-
Size
683KB
-
MD5
5879dcb6632d8c3d53f39a29e86cdcce
-
SHA1
97c358a006711c52a4647c3db520a9fdb575e952
-
SHA256
a84bdf209b862ffbdf3d963611eec3c1c2d70024e24041727a49bc618d6ff4cd
-
SHA512
80778f7cfdea1f20b8a44a4633558dfc22475cadeb54b9477cb739d59f85c70a26b8b9dab84c62347d719438849cb91ef0da8de174af022c09b87d2a06c6d4eb
-
Registers COM server for autorun
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Executes dropped EXE
-
Sets file execution options in registry
-
Loads dropped DLL
-
Adds Run key to start application
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-