General
-
Target
3ad0f62d563674c1b7b8bf1db9dc03c9a22ef1af11c4b07c0c3e20af270d4fc0
-
Size
305KB
-
Sample
220521-bwf6dsffbk
-
MD5
65ef4e367f4630f1e3288637a94b6dcc
-
SHA1
f0c264c67d9e748c507bacfded48bdfaa5740f6b
-
SHA256
3ad0f62d563674c1b7b8bf1db9dc03c9a22ef1af11c4b07c0c3e20af270d4fc0
-
SHA512
ef6adc3bfce84bda743d75aad69f3514872d41294719642fa74a58870598d7d5dadf4d711fd75afd86297277d062f10665e39fb68a7c1415bc5dac6545a28f67
Static task
static1
Behavioral task
behavioral1
Sample
q0pddrer.q1m.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
q0pddrer.q1m.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
formbook
3.9
s5l
greenstock.info
laurajaneaesthetics.com
817comm.com
dbprimery.com
slzu-vxtx9.biz
covetpro.com
50.ink
weick.email
88717888.com
tongyue0423.com
anchorsky.com
horapatarot.com
cadillacforless.com
primesupplyvintage.com
torchinstant.win
thebrandishere.com
www-69677.com
savestj.com
tommydad.com
xigjailbreak.com
contulinemotieeszere.info
virtualrealitydomainnames.com
oldschoolrentalcars.com
zerosumtoken.info
facingrods.com
bagodawatch.com
theecostone.com
fireangelstech.com
lendingnetworksmail.com
apartemenbegawan.com
oniapparel.com
sanjeevkumarvestige.com
jiqywrrcmyudxaydrw.com
ptt-store.com
affilifaq.net
eyezonsite.com
youreadorkable.com
eh-sc.com
diariodasnoticias.com
bcqts.com
9a176.com
triplicesports.com
thetravelguideindia.com
frottolesignoraggio.info
swiftlogistics-service.com
36lk.info
webuyoldmotorcycles.com
mikedtoyota.com
honghuyangguang.com
soft-bits.com
twheb.com
poshchain.com
socialgeeknwa.com
alltexvets.com
coscolg.com
theflyingwolves.com
stonebridgeiwm.info
requestforcollect.com
weatherdeep.com
webxhard.com
six.ltd
belamargarida.com
eskisehirkahvefestivali.com
sf8803.com
hearxy.com
Targets
-
-
Target
q0pddrer.q1m.exe
-
Size
471KB
-
MD5
aa2c30ea587e5b05f87bf7a9799766be
-
SHA1
d8e5e747cc4f185032329f7d2cf3589b16e093db
-
SHA256
8f1e4d566bca753281462bd0d67815385c0d06eff9ff67e691831a0db757701c
-
SHA512
eb977ceb601bdb5151826ccd6399d25b9d3f8267070cd37ebda0d73ec0d4280603a698d4a0f4c532d4de04e4f06baf4017fa0c0d1d65f2ae7f22e7841652d424
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Suspicious use of SetThreadContext
-