General
-
Target
83972d9fc2f49b8557a13e1c5b3737d3c03ab53410d7989eaba975216d7be2bb
-
Size
279KB
-
Sample
220521-a8bwrsbdh9
-
MD5
fd5c2c17858aa3ae319a4b947cac03e3
-
SHA1
3000982fd9363a35bb9a6195fbe872dea9ff9754
-
SHA256
83972d9fc2f49b8557a13e1c5b3737d3c03ab53410d7989eaba975216d7be2bb
-
SHA512
05faf678616e71d8d58beb4ef0c4204aaf4fb3db18109a5c7b4bdf97a699965867d4c1eb8edb064fe54333d3e023924f5d5bae3c30128f7ca551092d5541d618
Static task
static1
Behavioral task
behavioral1
Sample
Quotation list.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
m6x
990939.top
dhluxuryconsulting.com
muapnvnsfr.com
homder.com
valveiran.com
alkhaleejtrading.net
jekweiss.com
kevinklasmanmusic.com
buyilovebacon.com
nq227.com
cryptrproject.com
medicine.mba
nufilter.info
highway99restorations.com
phytohealthkits.com
accentuatephotography.com
tradeclimber.com
yasseralm.com
ito-agri.com
divandaman.com
raihtn.site
solyetrfademven.com
tepire.net
cointicket.online
johnhevank.com
pxskin.com
528jr.net
kovachnation.com
marstroy.info
1xsort.com
ugrowvancouverisland.com
sprintstats.com
furkankarakus.com
seo-caen.net
yclm1051.com
floydcountybaseball.com
privewin5.com
donaldjtrumpjr.chat
coloral.biz
xj9x.com
stichtingkind.com
tv16429.info
forgatheredhealth.com
waldheim-heslach.com
huimin26.com
mxfbyym.com
goveritas.com
newexpertise.biz
qqfyt.com
invictussociety.com
mmgan19.com
meileefu.com
profitpk.com
koolkitchendezigns.com
tubesluitmachine.com
mypussy.online
land8531.com
zhekou115.com
greenlandeventsntours.com
sydneycohn.net
bibs-bobs.com
zghz6688.com
wujing.group
motoucai.com
hearxy.com
Targets
-
-
Target
Quotation list.exe
-
Size
378KB
-
MD5
3617db6af880e252d22998f0172c4b1b
-
SHA1
debf933d05217678743203fb00dff0b86dbc03be
-
SHA256
8256c24d02c5a109077b512ce3b45d7f95bf38cc01c33a968bea89f244f48e40
-
SHA512
50567cf8853a9b58dc8b23aa4a3bbb5abb9a449024751eadedda1c3bba935bcd61d8a58568e7006f2ba70782754d3a49a115f5974812e652499592751d977245
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-