General
-
Target
fea591c91f4db5a9238525988d1844cf9d68331b4cf4425acedff0fb9fb9b2d7
-
Size
656KB
-
Sample
220521-b7s94adda3
-
MD5
c6d9b9f4525c166f772f738eb245b5ab
-
SHA1
86467edf38be38884c655cebf047df352e0d1150
-
SHA256
fea591c91f4db5a9238525988d1844cf9d68331b4cf4425acedff0fb9fb9b2d7
-
SHA512
ffd65e4a50f906a28ee17b20d25b489a00897f12a26a8a1ff4d7ae53612370d3deb28dcf1a2455ae0aeb5120b7c5feaa6f5cac9c0b455e5c3b910a8cc7c34739
Static task
static1
Behavioral task
behavioral1
Sample
caietul de sarcini.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
kvsz
okashyns.com
sbsgamedaejeon-two.com
drb77.com
top5dating.com
websprings.online
voizers.com
zenith.site
lahistoriade.com
qv85.com
armandonieto.com
priestvedic.com
jessandjeff.net
magic-desktop.com
jitaji.com
ldmeili.com
yuwanqingmy.com
buzhouorg.com
chaiseloungereviews.com
m2g8way.com
freespin-support.com
bocapvang.net
315px.com
eugeniobarros.tech
sif.email
xn--oorv2aj6bj7cds0d6p4b.com
polychips.com
grouptulip.win
landbank.site
bet365c.win
inbonz.com
outofthepark.today
jeaniney.com
weeip.com
dmoneylife.com
rticlubs.com
reisedating.com
marijuanadogbone.com
funippon.com
banknotesync.com
alexandre-boissard.com
valorartetattoo.com
savetheverse.com
specificpcshop.online
h0jt1y.accountant
jiqing3.com
alfaranakle.com
saft-store.com
wanderingcollective.com
santandermobi.online
557023.top
loulancaster.com
vedattelekom.com
jatinangorcity.com
goldencanaries.com
edgaralanbro.com
levelretail.com
taylorsandbek.com
upbeatnewyork.com
motoreselectricoschihuahua.com
hotair.wales
getawomantodoit.com
xiaoxiong365.com
cloudboxsupport.com
vecteur-u-shop.com
fex-tracks.com
Targets
-
-
Target
caietul de sarcini.exe
-
Size
790KB
-
MD5
f28ec13e3098402bc68fea894fd99053
-
SHA1
4c752327d2e9d1118e5daae6100dbeaceecfc987
-
SHA256
f4156e15b465020e6687a23a63eb4b7c84a18f90ead4665087c6c2e5a09b455d
-
SHA512
02703aa721ccbd210ba5fb46421f4c675266edf7a4c2b2e47bbca9b08845088d72e1656f38fcd5f010ad27da0adf395d2d63c11bde672f33f9168e6a847ea173
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-