General
-
Target
7077dc6b11200f419f78a5768af01a0134dbb398c70e373ddd5e5ba5f583472b
-
Size
263KB
-
Sample
220521-bsz44acdf6
-
MD5
6195861513dc74e72eac71d6a0b83887
-
SHA1
02e5a65bb71f73ff5a045f270248e10531784704
-
SHA256
7077dc6b11200f419f78a5768af01a0134dbb398c70e373ddd5e5ba5f583472b
-
SHA512
b2d8864303c1162a3883f0060c764e99fdf8e2cba4d730d8c83f48c645ef6cdeca939ab040c09f1b8d4b4ba508260fbb81796ea94782a1b133cbf016bb0547a3
Static task
static1
Behavioral task
behavioral1
Sample
Contract Documents.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
nfl
giacamp.net
qb51.party
mashalevine.com
russiasexdating.com
jitangyy.com
morockin.com
karoreiss.com
tractionhero.today
bienvenueenprovence.net
stormharbour.info
61999h.com
tryandcert.com
bestwaytosuccess.com
laobaochang.com
otomatiktente.com
rehpb.info
ivpdqb.info
dc-wv-wv-ie-q.com
goingmagic.com
cimachain.com
northernengage360.com
wastewatertreatment.systems
coinopy.com
shoudami.com
mobilbahis.world
qshkr.com
okccashforhouses.com
mattressesspot.com
fyou168.com
131bb6.com
browserangel.net
transliberte.com
bakir-sulfat.net
rossilawfirmny.com
timothy-kwan.com
sdhtxj.com
affluenttoronto.com
profile-lord.date
77eb0l.faith
worldcup.city
nytimesnews.net
sarahdigiulio.com
343manbet.com
archeryunion.com
bullitshield.com
wzhan.ink
thehamzas.info
fyrwrk.net
klassy-kinks.com
bolttorquechart.com
willingcake.com
mohameddarbal.com
e-chicha.com
healthyperfection.com
steklonti.com
beauxtaylor.com
186524.com
libertybarracks.com
urban-compositions.com
michaeljlee.net
planovafg1.com
merrint.com
416thencomassn.com
xn--2j1b95kqybe0ioxir3sl4c.com
salomdy.com
Targets
-
-
Target
Contract Documents.exe
-
Size
344KB
-
MD5
376d7e1871d7d432b255403e399e6334
-
SHA1
a2a852627172066b3fbd344abdb3aa985ec35b47
-
SHA256
6348a886a9796d2fa05cd1792d8299c1a3a66e016b04a115e34c47d49415714d
-
SHA512
2bd6de7794a465193331a590145c5422ba6ec607b4ec4b98662302e8d7763d41971ee5e84c92052f056a1b8b0584461d99db7cf81b457df08f6d7ef2d5e8436b
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-