General
-
Target
000040021.exe
-
Size
179KB
-
Sample
220421-bf3pfsdaa5
-
MD5
6f6f64b82c949798ec80ecddea570ba9
-
SHA1
9895fe43bf8b037ec9110294e681410f419cf64b
-
SHA256
5978ce4905969580753f948beb8265a13d133cf29f9ddb206475a7f06f8fc885
-
SHA512
263308644df6dfc89d2466646ec7fda1092150128af96b8c62050c1b30f8ee0f8b0fa4ed03a375f2c78e5f5926e7b043db65b9a8b484b1d5a88760bb628e6cc6
Static task
static1
Behavioral task
behavioral1
Sample
000040021.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
oh75
denizgidam.com
6cc06.com
charlottewaldburgzeil.com
medijanus.com
qingdaoyiersan.com
datcabilgisayar.xyz
111439d.com
xn--1ruo40k.com
wu6enxwcx5h3.xyz
vnscloud.net
brtka.xyz
showztime.com
promocoesdedezenbro.com
wokpy.com
chnowuk.online
rockshotscafe.com
pelrjy.com
nato-riness.com
feixiang-chem.com
thcoinexchange.com
fuelrescuereponse.com
digitaltunic.com
cellefill.com
paulbau.com
camillebeckman.xyz
ilico-media.com
603sa.com
firstechfedcu.com
koreaglp.com
thebeardedbrocksblends.com
musumeya-kotora.com
tocoteacanada.com
travelwitharden.com
diversamenteclinica.com
bw613.com
qe46.com
spectrumelectrolysis.com
maloyenterprises.com
inovasyon.xyz
remijoe.com
petsgallie.com
metagiphydownload.online
tigerdieect.com
jamedomp.com
peninsularbottling.com
1383fx.com
pandeymasala.online
spoilnet.com
itweu.com
ankxbi.icu
lm-safe-keepingyuchand92.xyz
dreamdsjoceo.com
providentview.com
newchinafortpayne.com
wu6bvnrlz4ra.xyz
intrasvp.com
ghoul-ambrose.com
alltenexpress.com
oniray.com
sistemaparadrogaria.com
zeidrei514-nifty.xyz
excaliburteacher.com
jennyandsteven.com
zakcotransportationllc.com
wwwccsuresults.com
Extracted
netwire
127.0.0.1:3360
212.192.246.209:141
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
04-22
- install_path
- keylogger_dir
-
lock_executable
false
- mutex
-
offline_keylogger
false
-
password
123456
-
registry_autorun
false
-
startup_name
�k
-
use_mutex
false
Targets
-
-
Target
000040021.exe
-
Size
179KB
-
MD5
6f6f64b82c949798ec80ecddea570ba9
-
SHA1
9895fe43bf8b037ec9110294e681410f419cf64b
-
SHA256
5978ce4905969580753f948beb8265a13d133cf29f9ddb206475a7f06f8fc885
-
SHA512
263308644df6dfc89d2466646ec7fda1092150128af96b8c62050c1b30f8ee0f8b0fa4ed03a375f2c78e5f5926e7b043db65b9a8b484b1d5a88760bb628e6cc6
-
NetWire RAT payload
-
Formbook Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-