General
-
Target
0fa8c40b66010aa718362b8bb897a8ddbb90301af45f7741c1fc11c8ec1d1fbf
-
Size
331KB
-
Sample
220521-d13lasgfe5
-
MD5
debeeda2ebd46666ab7d156bfd4ca872
-
SHA1
4d2e794330e2e20495672562fa9fc1a4f03e0e42
-
SHA256
0fa8c40b66010aa718362b8bb897a8ddbb90301af45f7741c1fc11c8ec1d1fbf
-
SHA512
0ab9b340ea619946b43ece8f7ccd781d490e71f4499dfda2b06dcc623cea9e4a75fcfdb37c3db2f43c9e2d2d3cd3086cdd812128d7c4832d4aaa7e83adcc74c4
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
p2p
sjaxdbcj.com
kamalsparsh.com
qwc.ink
skyblockservers.com
servantquarters.info
databuster.net
randomwalk.science
momeidou.com
oxim.us
heartdogstudios.com
grindskip.com
61jg.info
209bifa.com
shanti-company.com
arrqam.com
worldupbiz42.com
mdr-gni-treatment.info
homecenterpoint.com
zqxxnykj.com
www7777221.com
theluxeaficionada.com
organicwaistcinchers.com
somalilandlibrary.com
solauri-asset.biz
eozmi.com
mathdorks.com
getfect.com
inmotionrobot.com
raveprinting.net
nwmcourse.com
dorahosting.com
pdcxlg.men
businesscoverinsurance.com
hbzios.ltd
schememarketingagency.com
sevenfingerfarms.com
conrak.net
1252hood2w.info
brglp.win
designderaiz.com
fithealthrapidadvancement.com
akiconcept.com
hillcrestconstruction.net
alipira.express
far-r.com
xn--wk8b.com
zh0520.com
inhim.live
cmsdf.info
mqckly.com
288manbet.com
distinctstyleprestige.com
cefewf.info
airbncamp.net
ttjuezhan.com
rentalocalcar.com
oceuro.com
kindarchitecture.com
thecannabiscupboard.com
congtyhoaithuong.com
zhihaoshengshi.com
kwonjiyong12.com
allnaturalcbdsgardengrove.com
magnoliandmelrose.com
writusp.com
Targets
-
-
Target
sample
-
Size
360KB
-
MD5
3da0759681d198fe698227ccd07077e9
-
SHA1
bb4315e844e89f46f230a5172a5220ff7d60c80b
-
SHA256
b9c1be5f81b9261b1bb68fb0f667a57721bd04b750427a9382844c42d18dba6e
-
SHA512
3756319a44e054e5fe27274e22dc121863777ca5ed9876eee9b48cb32c90e1fa42a9310c10c644f9c59cf97e6846b3eaf63f1200b301c3630f8ee7224fca6db2
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-