General
-
Target
fe1e12e4d258ee81553219aba85ac4d54873becc6598f70d0c060e63a3817214
-
Size
343KB
-
Sample
220521-blk2lacag4
-
MD5
4f4e5d926b14eaa82824b3655fb75b0b
-
SHA1
e0b2362bc434e27224d2bc4700b4073fcb7223d3
-
SHA256
fe1e12e4d258ee81553219aba85ac4d54873becc6598f70d0c060e63a3817214
-
SHA512
66acd991241fed542b10068dd31d58b4e66849613a49860e7711c4ab141ed28d649209405e073c26037f441df50cb1adb954ad64462175d00008cfccb8bab638
Static task
static1
Behavioral task
behavioral1
Sample
RFQ #005460.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
q5e
2177.ltd
thanxiety.com
max-width.com
fixti.net
mostmaj.com
mobilteknolojiuzmani.com
historyannals.com
wheelchairmotion.com
mossandmoonstonestudio.com
kastellifournis.com
axokey.net
peekl.com
metsteeshirt.com
abcfinancial-inc.com
btxrsp.com
amydh.com
ccoauthority.com
lumacorretora.com
kimfelixrealtor.com
iconext.biz
giftstgg.com
imonsanto.com
invoicefor.com
qfhxlw.com
wsykyy.com
gladius.network
peliculaslatino.online
timookflour.com
gxkuangjian.com
utvklj.men
rabota-v-avon.online
sheashealingway.com
thoitrangaoda.com
rytechweb.com
circuit69.com
crowd-design.biz
carosiandrhee.com
778d88.com
calvinkl.com
cjkit.com
jgkwhgxe.com
sanitascuadromedico.com
mellorangello.com
whiteinnocence.com
medtechdesignstudio.net
nurturingskin.com
guardyourweb.net
juw2017.com
jnheroes.com
damicosoftwaresystems.com
gesband.com
onwardsandupwards.info
gopropackaging.com
centerforaunts.com
sarrahshewdesign.com
intelligentcoach.net
iasisf.agency
products-news.com
calvinspring.com
100zan.site
9mahina.com
saleaustralianboots.com
floatinginfotech.com
calcinoneweek.com
yofdyk.com
Targets
-
-
Target
RFQ #005460.exe
-
Size
480KB
-
MD5
34eea69edb6613e5544b9c169ddb2b18
-
SHA1
852d1c8303c6f8f14c0ac2ada3db5b2452828766
-
SHA256
67919ae47a37d6ee2dab5c3899fdd83f293f06f5678aab8c7219e497f74690ec
-
SHA512
c1239ad2d5f716af4c3c36fab93aa75b69f2fe4026e281f95048ea838261d3c2e140cb62280f089b0f8c6028eef8eb6ed8e599d61dccdc712ef8f8ed6c0d1750
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-