General
-
Target
1276c85709b33cafab4e0079f409ea0c83e41d97e30dcc50a11cce385f10d62e
-
Size
547KB
-
Sample
220521-b5zn4agbbk
-
MD5
db14522bbafc3685be539d663df51f9c
-
SHA1
5fcb0d12faa27945252f8a7921d75175f17bb42a
-
SHA256
1276c85709b33cafab4e0079f409ea0c83e41d97e30dcc50a11cce385f10d62e
-
SHA512
337a748c06641569b9729e923a897d8048cc43ce03d7baf849fe3b16aade5a0605592a32109d6b026caf6cc7f6ec19321dbfb76d21d2ad174fb3793b4a0204ae
Static task
static1
Behavioral task
behavioral1
Sample
2nd PO389733.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
2nd PO389733.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
PO389732.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
mmw
horticulture.biz
sues7011.com
wowingaspf.com
azimutlab.com
lifetiptopics.com
bettersanitary.com
autocuiseur-electrique.com
92kvip.com
scrumguys.com
northwestnova.com
johnzeng.ink
2941brightoncreekct.com
lifewithjulie.com
kurtglobal.net
samuelslang.win
sekolahpaketonline.com
ylfmm.info
rentini.net
fenerliyim.com
indierooftop.com
collegetycoon.com
cleaningcranberry.com
kbvqnaaq.com
mozartoffshore.com
fonu.ltd
domaine-mr.com
driprealty.net
liaoyuan9.com
vanessas.fitness
christopherboalewing.com
simplefavorevents.com
greatwesylife.com
zhongqingshuiwushi.com
488w66.com
comingu.com
studioloannguyen.com
nepalmovie.com
trashbrowns.com
3-treasures.com
fixingbaldness.com
xn--crinblanc-93a.com
052ygh.info
southwestvations.com
dzzsedu.com
alexagoraphobia.com
xn--6ssw80aisjn63a.com
md-consortium.com
wheatgrasslab.com
773sy.com
daftd.com
adasconsultants.com
languagetranslation.today
iqsolutionsonline.com
kaiit.com
radarpin.com
nn8w56.faith
nearbylimosuines.com
maternitylabcoats.com
chachiscbd.com
3gtg.men
zhishilian.net
poundhouseconcrete.com
wareius.com
zhuanxintong.com
sulicet.com
Extracted
xloader
2.0
b6fg
multlockmt5.com
mohajrannoor.com
robynhoodofretail.info
belinv.com
hotellasab.com
kibrismosad.com
xn--fxwm39aeb590h.xn--io0a7i
resetbrasil.com
tcsonhvac.com
theresav.net
bohoqi.info
machinafuturae.com
mambavault.com
xn--980am9a.top
yumiang.com
evntmonitor.com
83003kk.com
triterm.com
8800pe.com
silvanstudio.com
taragon-entertainment.com
ahly-live.com
ucpprint.com
betscrum.com
homehit.house
taab3.net
martiswatches.com
cartel-sinaloa.com
flyfuncenter.com
lezhen.top
aiotstairlift.com
selfless-entrepreneur.com
easttaiwansurftrip.com
descubriendonoruega.com
wicoru.com
tacmktg.com
callisterlawgroup.com
khogiaychinhhang.com
hobianak.com
pole-entrepreneur.net
callumjcummings.com
sgknox.com
xn--zuneauspolen-gcb.com
wwwjinsha622.com
everyoneschocolate.com
medlplayground.com
honeynray.com
whackajudge.com
alwarren.com
venglishhouse.com
quantumpearlpoc.com
movie4in.com
vytalhealthcare.com
sportsempires.com
xinhby.com
296djw.info
biblebeater.com
e-jie360.com
lemarcoambar.com
thekoulenresidence.com
iejel.com
sha256.equipment
j12mfg019y.com
clearlyconversing.com
magentos.info
Targets
-
-
Target
2nd PO389733.exe
-
Size
351KB
-
MD5
e4df03f1fc29eb4fc32a0801b26ce6ed
-
SHA1
1c487bae47d8f81ab5b2f851ace41b3520e0e77e
-
SHA256
ece024ccd4accbc99e106f03c4b4764765b37615e3caa0b021084ac5f689cc3e
-
SHA512
f89812a4a5ed11d10c6880e34a2bd34a6f0f96b929fd1bcf3790227505c256abd17ea5f3411529aab9db0c850b3449adcb2399541c52cb3856ebc9800e15f179
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
-
-
Target
PO389732.exe
-
Size
325KB
-
MD5
4cd3bc98fa3df22248c7e5d63dbe1168
-
SHA1
fb32e85f940945c6c0d3052b80f48f5bc48f7c7d
-
SHA256
cde5b9157162c55139f508884d7be6be903acc9d85842a667c1b2ef04a1ecd49
-
SHA512
0b2d2ada876da8ae777b80f2b99895b62449052e723ef5c6a71d02c317dc6c34346f1a35ea875149f2ebd94b775a7b8e3f2e712e2765e0e2fe82c2ec7376896e
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Xloader Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-