General
-
Target
be212619b97ee6954f65301efb5027961cebf3ac7ce8edd71dda5872442cea0c
-
Size
261KB
-
Sample
220521-bpnxnacca7
-
MD5
8947567c8965dd5dbfbc5ad855a4870f
-
SHA1
056840758e7600d73a2e638990f42ee9c2526dca
-
SHA256
be212619b97ee6954f65301efb5027961cebf3ac7ce8edd71dda5872442cea0c
-
SHA512
ee4ca1131d0885b8cb471e11ceb0f3f09558362053a07dd59cdbf7c744c8c5eaad244ebd4c54cb0dd9df86c862d1ec9b9ba8ddee22e647074bc3a9e409f4a16a
Static task
static1
Behavioral task
behavioral1
Sample
Payment Slip.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.0
i032
threecraftybitchhs.com
vmbitcoin.com
theeverydayrootsbook.com
perksatwrok.com
oilspilladjustersettlement.com
actiilifecoaching.com
kbv627xlp9o.biz
masterfitnessusa.com
bit-coin-b2b.com
crossfitpoway.com
van-life.info
start.supply
wonobi.com
volunteerfife.com
steamlish.com
fortituderunclub.com
10sweetmasageparlour.com
2espiritus.com
free-part-manuals.net
gocier.com
thecoldestirose.com
visionpetlonpolymers.com
broadbandec.info
gaoluxue.com
support360.info
thietkenoithatchungcudep.com
buatweb.click
masterthistoday.com
restoralplus.net
entrepreneurdreamers.com
crohnstracklightstudy.com
philsoft.net
nortf.com
bndzn.com
quadroshopter.com
findyouremptycows.com
getyourlegalhelpnow.com
otodidakscript.com
shocolo.com
hljbsjy.com
pinkiesaloncenter.com
woodenspoonbakehouse.com
acceleratedhealingpodcast.com
zdkrui.com
caca111.com
hjemmesidemester.com
kcsmqd.com
gptxr8.com
ggluav81.com
grantsburgbasketball.com
ziacs.com
changingthescale.com
kfifab.com
hostelagency.com
vitolines.com
zzgst.com
toneonemedia.com
schatzkind.com
wwwyy8181.com
indianchargers.com
prohealth.cloud
hfsycm.com
blueroast.com
viralbobmail.com
regulars6.com
Targets
-
-
Target
Payment Slip.exe
-
Size
305KB
-
MD5
959cc1d1577952988bee9d96237dc04f
-
SHA1
11942e192b6f5f4bba6947653fb070385f42998a
-
SHA256
9e5404dae4cf7c22028a3d09e99fa532a1f14e0636aa8112d177933a8b066b6c
-
SHA512
30e5e5f62239042b905a01c7d51f52f7be5668dbe23d4ec63b3a0c8e50f9ccb2f770fce1efbcd3914e842f0762838f8eb0ed9db1eb1fb670c890caaeece8fb70
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
CoreCCC Packer
Detects CoreCCC packer used to load .NET malware.
-
Formbook Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-