General
-
Target
729dedb95d38dd742c756b1f522e3c721b1f616c6b35a4be065255cd3326812a
-
Size
279KB
-
Sample
220521-a8dqcsbea2
-
MD5
a37c6b29d479210143898fa4e9503d1f
-
SHA1
7a43ae77e466b4301436f0598889f851be65fd01
-
SHA256
729dedb95d38dd742c756b1f522e3c721b1f616c6b35a4be065255cd3326812a
-
SHA512
4e1f9627d094c23e464b631fb884effa1b90a0c0599cad6edf53f3d0868d995a9a12bd0ac02a74db68e808b299c0dc2fd474eab145ccce75295ca95c51b97876
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
m6x
990939.top
dhluxuryconsulting.com
muapnvnsfr.com
homder.com
valveiran.com
alkhaleejtrading.net
jekweiss.com
kevinklasmanmusic.com
buyilovebacon.com
nq227.com
cryptrproject.com
medicine.mba
nufilter.info
highway99restorations.com
phytohealthkits.com
accentuatephotography.com
tradeclimber.com
yasseralm.com
ito-agri.com
divandaman.com
raihtn.site
solyetrfademven.com
tepire.net
cointicket.online
johnhevank.com
pxskin.com
528jr.net
kovachnation.com
marstroy.info
1xsort.com
ugrowvancouverisland.com
sprintstats.com
furkankarakus.com
seo-caen.net
yclm1051.com
floydcountybaseball.com
privewin5.com
donaldjtrumpjr.chat
coloral.biz
xj9x.com
stichtingkind.com
tv16429.info
forgatheredhealth.com
waldheim-heslach.com
huimin26.com
mxfbyym.com
goveritas.com
newexpertise.biz
qqfyt.com
invictussociety.com
mmgan19.com
meileefu.com
profitpk.com
koolkitchendezigns.com
tubesluitmachine.com
mypussy.online
land8531.com
zhekou115.com
greenlandeventsntours.com
sydneycohn.net
bibs-bobs.com
zghz6688.com
wujing.group
motoucai.com
hearxy.com
Targets
-
-
Target
Quotation.exe
-
Size
378KB
-
MD5
f3cf72f1ae6aa14ad0da0ee454e42bfb
-
SHA1
93c3d771808d2c5a4ad34e9cebe3fab5da335069
-
SHA256
3837dc32928e8556207e8dafb872968279682dc4a848d09f73823818d2fb7dff
-
SHA512
4a52b43f19bdfbb4614ae510c0e1aea414d676ce7d5b0120c66e14c791498d9ee9e458aafe74885f7b62e355139bacb46541f92eddc6b85836dcb4dc36cb984a
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-