General
-
Target
bc5808e90a1540e8f2523f7f0e072d7d91d527e68cd50e4caaa98cbbe1988819
-
Size
377KB
-
Sample
220520-3w9lgshfe3
-
MD5
d921a212c9cd066df391374b26304466
-
SHA1
71927f4e9a855bbe179737a9a050d4233240ce7f
-
SHA256
bc5808e90a1540e8f2523f7f0e072d7d91d527e68cd50e4caaa98cbbe1988819
-
SHA512
da5ec4802e9f500a4bc7f019ed1f28cbed51c07be2fe52523ab7b2725c51cdc828ccddaba3a752039bc94342d1efa11bf96c159a59b089e2d4ac4bf8bb0d9cc1
Static task
static1
Behavioral task
behavioral1
Sample
shipping documents, INV+BL.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
otn
thewoodwideweb.net
broadconnectionpm.com
tuzlametro.net
vjpqdk.info
vietnamtimetravel.com
notice-close-n217.online
verif22-mail999-pymts76.com
bestgreenhouseplan.com
brangain.top
cukaapelbragg.com
stileincucina.com
veloflambe.com
virtualsupportservicesllc.com
smpl.site
mezo.ltd
incidenciasarty.com
everglamp.com
theflowerfarmplanner.com
oasis-base.net
jnrhsh.com
hostux.info
aptivauto.com
xedinl.info
newfiveflags.com
ottleyco.com
my-debtrelief.com
frantac.com
new-auto-news.com
castironcravings.com
cplusc.studio
firsteditionbooks.net
atraedinero.com
fooddeza.com
mariancolmanart.com
ats-ortho.com
kabolobari.com
otcvollar.com
dliti.com
jidanyun.com
realestatewithdawn.com
idecorados.com
czgy1991.com
moneysavingmissy.com
oderviettrung.com
szzolon.com
candycrushsaga.cloud
jmsortho.com
carebookkeeping.com
milesdavidlee.com
generallasers.com
informaticahostednp.com
paintmywedding.net
opusdentalonline-beta.com
rickramgattie.com
nbgkl.com
pjhsea.info
accuratevinylinc.com
dissedin.com
findmyticket.info
greekobsession.com
trendlong.com
tumarcaesladiferencia.com
noragamst.com
shapupu.com
regulars7.info
Targets
-
-
Target
shipping documents, INV+BL.exe
-
Size
430KB
-
MD5
528803eb79a155fc433c390a194ae344
-
SHA1
3e85abf112dbe5d5cb3b36f82cb5e5aba4f54757
-
SHA256
5e1663a897c64460d68fdf6848b63f589680e75f4d935258a7862b9d1ff617b1
-
SHA512
b3a29219e6287103d6443ef39891d29b9f95cb72c6b39537c576d7f47fcb53a910fc6d9524a8f90fe26fc42674dedf59b3d39859f0636ed578f16f4fc5a3140d
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-