General
-
Target
20e3c744070c72a6ec5b03e044f996756bee8b49d5c9d6b852adaa71b15df670
-
Size
351KB
-
Sample
220521-dwmdhsbdej
-
MD5
73ab6282340d7e818e7e714c6f5de271
-
SHA1
c36f965b9fa423c9d52ca5942e9bff1aa1a31893
-
SHA256
20e3c744070c72a6ec5b03e044f996756bee8b49d5c9d6b852adaa71b15df670
-
SHA512
903e76ad4b86fa5ae4dad6ed3717cc1796ac21242fb7b42290420cc28239b9d47a102abd92be94520389d619915ba8261e17612c15d06811963b8ae3d613cb5c
Static task
static1
Behavioral task
behavioral1
Sample
QRFN107571083IMB.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.0
jac0
chatbot-consulting.com
alynt.info
saudiarabianwomenjobs.biz
kingtour.info
poshlacore.com
hypnosetherapist.com
tampahurricanrelief.com
qqgan16.com
tag-designco.com
viaeviastaff.com
unhosting.today
apple-request.info
whitesauce.net
627evq.info
mygolfingwarehouse.com
materiaprojects.com
rj-ipt.net
cordences.com
invescoapconference.com
supplementcult.com
flfsd.net
rasa36.com
nicorise.com
xdomainz.com
onlinemoneyguru.com
playupmusic-mail.com
zpdqd.com
convertproof.net
disasterreadyclub.com
1t1threeout.men
prestijoto.net
mining-tec.com
kleinpelteam.com
bbslsj.info
krebsoottthrobseousfleis.win
homeinandalucia.com
gillespievideocreations.com
zbktw.com
blogs-caraibcreolenews.com
huitiemeciel.com
rodrigodahora.com
salon-lewalo.com
webstudio20.com
realtheproducer.com
sistereasyweed.com
belendeazcarate.com
computerrepairtacoma.com
cbrenp-crosspoint2030.com
krystaeducatrice.online
gastro-va.com
1t1sixtake.men
birimmarble.com
springfieldrise.community
hachette-service.com
fbhlpsn.com
hotmessanglerapparel.com
stephenwinterphoto.com
xn--fhq334dxx9a.net
acctedu.com
huafeng.biz
united-transfer.com
toppayingsites.info
sc2zhibo.com
repsolenergyinc.com
regulars5.com
Targets
-
-
Target
QRFN107571083IMB.bat
-
Size
405KB
-
MD5
2d2db3a8698206d1e4b0928f4910de8c
-
SHA1
eb735b973979d0a6c3dbd32638c84990c4503a37
-
SHA256
3b7dc89103d8c49eea88bd302c37e6b9c1f1ae13bdd38c9ff9709568b9f56e3b
-
SHA512
5e9ce4fc978df75833069dbdd0de93ef07d2141b3facbee7e69e7177c02d5fe4b7e65e348d7179997d726961905e655fa9644652bf208ff6f47c798ef4683a11
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-