General
-
Target
2c915962f67406c0983f47ddc887814e0322b009eb79e883fa81dad6459eb5a1
-
Size
335KB
-
Sample
220521-ds4hmagcd9
-
MD5
539f1009ff7290d988a47dd81e2a821c
-
SHA1
e437ec926c9b9d8ffad7a365b533083b8e30dbbd
-
SHA256
2c915962f67406c0983f47ddc887814e0322b009eb79e883fa81dad6459eb5a1
-
SHA512
035e8c0d98f7a2841ddc6853b7a8e41931585dee222b03b292592ffeb03a1df149eac0090a0119153b1839d77a7822ec39c62789bf9a149ccc4f4af2cbcc0489
Static task
static1
Behavioral task
behavioral1
Sample
???? ????????? ?? ???????.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
kvsz
okashyns.com
sbsgamedaejeon-two.com
drb77.com
top5dating.com
websprings.online
voizers.com
zenith.site
lahistoriade.com
qv85.com
armandonieto.com
priestvedic.com
jessandjeff.net
magic-desktop.com
jitaji.com
ldmeili.com
yuwanqingmy.com
buzhouorg.com
chaiseloungereviews.com
m2g8way.com
freespin-support.com
bocapvang.net
315px.com
eugeniobarros.tech
sif.email
xn--oorv2aj6bj7cds0d6p4b.com
polychips.com
grouptulip.win
landbank.site
bet365c.win
inbonz.com
outofthepark.today
jeaniney.com
weeip.com
dmoneylife.com
rticlubs.com
reisedating.com
marijuanadogbone.com
funippon.com
banknotesync.com
alexandre-boissard.com
valorartetattoo.com
savetheverse.com
specificpcshop.online
h0jt1y.accountant
jiqing3.com
alfaranakle.com
saft-store.com
wanderingcollective.com
santandermobi.online
557023.top
loulancaster.com
vedattelekom.com
jatinangorcity.com
goldencanaries.com
edgaralanbro.com
levelretail.com
taylorsandbek.com
upbeatnewyork.com
motoreselectricoschihuahua.com
hotair.wales
getawomantodoit.com
xiaoxiong365.com
cloudboxsupport.com
vecteur-u-shop.com
fex-tracks.com
Targets
-
-
Target
???? ????????? ?? ???????.exe
-
Size
410KB
-
MD5
56daa8b66c2eaa065ac45b35dc95e942
-
SHA1
1ecb9d4715b768e99e0d607405ade60f19065bef
-
SHA256
8e5849ef6902da3c60c6697a9993c4db5e5d2e58b9b43f65a411c650535e8b6c
-
SHA512
1fac88fa7b6999869b84eb5cc365c2b86eed58598a55630beb4fbdbd4afecb66c44c7e94ed6fef7348e7b95241cbd254d0087be3dfa0b164f2d7ccd7b591c649
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-