General
-
Target
f81b600bdc6cc3567388b747dcd8125ed1af34d1ea5aa0a8207f3e9ff08ef3c3
-
Size
319KB
-
Sample
220520-rqnlaabbcj
-
MD5
ca3fdc95c72c231742846892c01b9835
-
SHA1
27d7080b042e41d4e1bc1d3b9d66a8f55c661024
-
SHA256
f81b600bdc6cc3567388b747dcd8125ed1af34d1ea5aa0a8207f3e9ff08ef3c3
-
SHA512
d207dc8b17f5425df194af69506a292767398c04c1b0c3c8c20825b4a36044ff4595ca56ffbff6a2938f12db9ba9832b8dc7a645bd83df7b273db3725c844299
Static task
static1
Behavioral task
behavioral1
Sample
Yeni Sifari?.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
3nop
bakecakesandmore.com
shenglisuoye.com
chinapopfactory.com
ynlrhd.com
liqourforyou.com
leonqamil.com
meccafon.com
online-marketing-strategie.biz
rbfxi.com
frseyb.info
leyu91.com
hotsmail.today
beepot.tech
dunaemmetmobility.com
sixpenceworkshop.com
incrediblefavorcoaching.com
pofo.info
yanshudaili.com
yellowbrickwedding.com
paintpartyblueprint.com
capricorn1967.com
meucarrapicho.com
41230793.net
yoghurtberry.com
wv0uoagz0yr.biz
yfjbupes.com
mindfulinthemadness.com
deloslifesciences.com
adokristal.com
vandergardetuinmeubelshop.com
janewagtus.com
cloudmorning.com
foresteryt01.com
accident-law-yer.info
divorcerefinance.guru
wenxiban.com
589man.com
rockerdwe.com
duftkerzen.info
igametalent.com
yoursafetraffictoupdates.review
jialingjiangpubu.com
maximscrapbooking.com
20sf.info
shadowlandswitchery.com
pmbnc.info
shoppingdrift.online
potashdragon.com
ubkswmpes.com
064ewj.info
rewsales.com
dealsforyou.tech
ziruixu.com
naehascloud.com
smokvape.faith
sunflowermoonstudio.com
stepgentertainment.com
tawbj.info
besthappybuds.net
koohshoping.com
ajikrentcarsurabaya.com
jkjohnsroofingfl.com
whatsnexttnd.com
yoyodvd.com
joomlas123.info
Targets
-
-
Target
Yeni Sifari?.exe
-
Size
651KB
-
MD5
ef3ca842b9c00a0bc3c40cb0c547180e
-
SHA1
decbd80b7215eef9049542b529986359fea02ff9
-
SHA256
cc223497fe89e227d0696798ffd12ef6037ee71dfe047483f6a8f1be69bf5754
-
SHA512
4bd7eaf9b7c2c4c78b14788549cb71da2eb8074b81c786a6a8b0e03677a9bd1c89118a47ecd150249b46dab4798f0b00c4a5f40e15cd0a629243f90548eceede
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Adds policy Run key to start application
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of SetThreadContext
-