General
-
Target
29a2494b73b9775e4dbaa708d8584f1ce1e6aae6c49d5589b18dbe066e4cb708
-
Size
245KB
-
Sample
220521-dtm72agcf7
-
MD5
753f76dc719b6be39f1cf6ff22dd210f
-
SHA1
6faa2e2d6b0ecbd8fc625e1ae106d2d1eec513af
-
SHA256
29a2494b73b9775e4dbaa708d8584f1ce1e6aae6c49d5589b18dbe066e4cb708
-
SHA512
3a990dc83254f040422963f521d88bf5c0e077d0653a07ee04c70a75f8a2643ffc61c9ed5105a7bee4b17ee7b716cca1cc64668e2df220c635cce3e66ccebf33
Static task
static1
Behavioral task
behavioral1
Sample
ORDER INQUIRY.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ORDER INQUIRY.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
formbook
3.9
20w
cofounder.technology
mrbajaf.com
xn--w9s874cfjq5fk.com
haliciogluhali.net
vanessadunfordhere.com
lookguy.win
91javac.com
goldennd.com
nwatheeliteteam.net
tumpukganda.com
clarservicios.com
koghana.com
workingwithroland.com
yellowsocialbox.com
under-dawg.com
sdtjtzyz.com
banditaerialproductions.com
newssmog.com
tefnmp.men
rebelialabel.com
shubhankarthinks.com
weldlngwarehouseinc.com
cxwlkjgs.com
sfbtadvertising.com
just-climb-it.com
abigailstales.net
erreapeworld.com
ujoi0cb3td.com
adhitshet.com
loi-mezard-invest.com
shimanami-guesthouse.com
5bu3.com
koszr.info
shopgoperinnovation.com
matthiasdittert.com
stiffeducation.com
projectoverflowinc.com
v5rayp.club
dqklfr.info
jacobsonfordl.com
chicagobps.biz
bsateenalsharq.com
238bifa.com
kairui.ink
lai2151.com
simplysavvysolutions.com
watertable.win
robotica.tech
avggrfx.com
teleportcafe.com
712roofing.com
07hosting.com
quiltlux.com
implantcyrkonowy.com
gnbaccelerator.com
negusangel.com
best1caratdiamondrings.com
elizabethlampertpr.net
pinpointlocalsacramento.com
skinstradesarea.com
morganhelps.com
divarium.com
njswd.com
bfmjgame.com
nyoxibwer.com
Targets
-
-
Target
ORDER INQUIRY.exe
-
Size
279KB
-
MD5
6bd95e18dbd55ab2bb32d2bdef0c88e6
-
SHA1
5fb95f1577c4d4c810a2a663db4a87704031126e
-
SHA256
27379cbd39dae5d145ff292ffd71387a5508bba83997177272742b486cb4e662
-
SHA512
483301dd5b6198feab4dbaf0b17039a7b99e423a0c2eeaff609a1973d9b66cb3f22c1afab28769fb9a4530a2e3bb5b19ab3b2a62233807630db3ec6ffcb4fb32
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
Formbook Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-