General
-
Target
ef76be173c03ffd56f7b5607b65c7fd8d4833d6b76be683f1e7fd82fd9f86900
-
Size
271KB
-
Sample
220521-cbbkvadee7
-
MD5
3abf5b51d0697b600e3d9110aae65c1b
-
SHA1
f15b5f529fab8865e02abedb7ea4b539059a5882
-
SHA256
ef76be173c03ffd56f7b5607b65c7fd8d4833d6b76be683f1e7fd82fd9f86900
-
SHA512
69c876caa5b3f73b66317051976c9698ad6486026d7d39a0b161ef534c8a0148d30dac86c4dfbbe3856df333a47d852e7aee2630011410c94aee9694a072c5af
Static task
static1
Behavioral task
behavioral1
Sample
HSBC Payment Advice.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
HSBC Payment Advice.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
formbook
4.0
jac0
chatbot-consulting.com
alynt.info
saudiarabianwomenjobs.biz
kingtour.info
poshlacore.com
hypnosetherapist.com
tampahurricanrelief.com
qqgan16.com
tag-designco.com
viaeviastaff.com
unhosting.today
apple-request.info
whitesauce.net
627evq.info
mygolfingwarehouse.com
materiaprojects.com
rj-ipt.net
cordences.com
invescoapconference.com
supplementcult.com
flfsd.net
rasa36.com
nicorise.com
xdomainz.com
onlinemoneyguru.com
playupmusic-mail.com
zpdqd.com
convertproof.net
disasterreadyclub.com
1t1threeout.men
prestijoto.net
mining-tec.com
kleinpelteam.com
bbslsj.info
krebsoottthrobseousfleis.win
homeinandalucia.com
gillespievideocreations.com
zbktw.com
blogs-caraibcreolenews.com
huitiemeciel.com
rodrigodahora.com
salon-lewalo.com
webstudio20.com
realtheproducer.com
sistereasyweed.com
belendeazcarate.com
computerrepairtacoma.com
cbrenp-crosspoint2030.com
krystaeducatrice.online
gastro-va.com
1t1sixtake.men
birimmarble.com
springfieldrise.community
hachette-service.com
fbhlpsn.com
hotmessanglerapparel.com
stephenwinterphoto.com
xn--fhq334dxx9a.net
acctedu.com
huafeng.biz
united-transfer.com
toppayingsites.info
sc2zhibo.com
repsolenergyinc.com
regulars5.com
Targets
-
-
Target
HSBC Payment Advice.bat
-
Size
329KB
-
MD5
3fa896fb15113a55eef386e3c00c6897
-
SHA1
9b41de7e652c801ecd1dfc266983dd1675d90a3c
-
SHA256
a5a17e29758a200bd8bd3805f5b1f292a236ee994274033ee1953ec7e9690db3
-
SHA512
e3f95d33f12de8eda7e1602d04f4c6f6539645d2275133fca87fb9687971d5d03db6a033deb21f69e4be808fb68c2793a0910a27b683ca15f7884ae977b36215
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Suspicious use of SetThreadContext
-