General
-
Target
a7ac86859df3916a97fb2dff315541ad5f53075a6d4d6f151478ff083192ea24
-
Size
266KB
-
Sample
220521-bqhf9sfcfp
-
MD5
b6c0965a4ddfd56bd4cc9c7f0b01d82b
-
SHA1
832f5a884eb899849876ad9ce899df101dc56acd
-
SHA256
a7ac86859df3916a97fb2dff315541ad5f53075a6d4d6f151478ff083192ea24
-
SHA512
4169c90190316689d4e1452f8c3ddcf6cf5190fb8623755fd06506490ebb725973153a010c61beb9c58bfa8eb8c90355f09308b146e680e0db382f2f939096f1
Static task
static1
Behavioral task
behavioral1
Sample
RFQ#7018.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
20w
cofounder.technology
mrbajaf.com
xn--w9s874cfjq5fk.com
haliciogluhali.net
vanessadunfordhere.com
lookguy.win
91javac.com
goldennd.com
nwatheeliteteam.net
tumpukganda.com
clarservicios.com
koghana.com
workingwithroland.com
yellowsocialbox.com
under-dawg.com
sdtjtzyz.com
banditaerialproductions.com
newssmog.com
tefnmp.men
rebelialabel.com
shubhankarthinks.com
weldlngwarehouseinc.com
cxwlkjgs.com
sfbtadvertising.com
just-climb-it.com
abigailstales.net
erreapeworld.com
ujoi0cb3td.com
adhitshet.com
loi-mezard-invest.com
shimanami-guesthouse.com
5bu3.com
koszr.info
shopgoperinnovation.com
matthiasdittert.com
stiffeducation.com
projectoverflowinc.com
v5rayp.club
dqklfr.info
jacobsonfordl.com
chicagobps.biz
bsateenalsharq.com
238bifa.com
kairui.ink
lai2151.com
simplysavvysolutions.com
watertable.win
robotica.tech
avggrfx.com
teleportcafe.com
712roofing.com
07hosting.com
quiltlux.com
implantcyrkonowy.com
gnbaccelerator.com
negusangel.com
best1caratdiamondrings.com
elizabethlampertpr.net
pinpointlocalsacramento.com
skinstradesarea.com
morganhelps.com
divarium.com
njswd.com
bfmjgame.com
nyoxibwer.com
Targets
-
-
Target
RFQ#7018.exe
-
Size
304KB
-
MD5
ff63351b26aa98482e65c848d3c81dba
-
SHA1
a12eac529a3e6f4f54ef3132077ede6fadac14ee
-
SHA256
e2234312d9f3cca21a317e8fddb427b2dd315cd69f9c1cc3606016c154fa4182
-
SHA512
656a29f833f50921196bcee13f39ad6eb2c2f7f4aaedf471b3517d6b366354579e3f103d2e2ac3c398b5a1be647149825d58f240defd07a430a6aa3f811fedd5
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-