General
-
Target
4c71d9af7f2460a7467b01ff03cfb4b060af418a050afa4895e4feea6c6ca322
-
Size
208KB
-
Sample
220521-mmfztafbdr
-
MD5
07d431aabd1c64a305521f0eab14c186
-
SHA1
888a88a96efc6fad5b4ab2c5ec32bc962bdc82b2
-
SHA256
4c71d9af7f2460a7467b01ff03cfb4b060af418a050afa4895e4feea6c6ca322
-
SHA512
5d78fd7f6de45af36942554e88bbd2debff18e0f15792e3ca16aa197723eb1dc38de854ea8aa99eda0725112b74cdae382653c2acfd7b37d08fad788abf354cf
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_SMK_2020.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
b0y
studiokopa.net
captaindoggo.net
project-woodwork.com
lasvegaskosher.com
elionimali.com
cozystylekobe.com
baiyizhao.com
djaimevargas.com
getshop.today
chikkadee.com
historicnortherncolorado.com
artofbrandstorytelling.com
robinsonscommunitiesph.com
petfriendlyrentals.net
dolphinsdragonsanddinsoaurs.com
phucquangphat.com
charitydigitalnetworks.com
czhuiyue.com
thetripletwomethod.com
harvestexcitementonline.info
journeytonothing.com
fanwoodnjautorepairshop.com
alicegaetano.com
soicauxs88.com
ig-talent.com
orsens-massage.com
michaelreevessoftware.com
mhkjc.com
wg9966.com
jlovecash.com
scambiolibri.online
computerrepairasap.com
frontroombingo.com
pcpvusffuf.men
neoconstruction-comores.com
phnixusa.net
baicheng.ltd
whitneyarthofer.com
xn--9vvu50a.com
those2smartgirls.com
escolamasrour.com
studio1926.com
minisdiner.info
boxescar.com
4rt.club
ilovescience.news
theberknszja.com
bitlattice.limited
haroldcomere.com
manx497.com
honda-power-products.com
sirlocks.com
lumio-rh.net
lp-world.com
linkpedia.info
htphome.com
robotforall.com
32gd0.win
rmsnow.com
wdfdf.cymru
sbdfengji.com
turbotomperformance.com
advancedcharterindustries.com
atconstrucciones.com
nacemo.com
Targets
-
-
Target
RFQ_SMK_2020.exe
-
Size
252KB
-
MD5
92eeab6ae27f7e8ebd78d6ab90f43c28
-
SHA1
74edeb5d49e3ad3ba7d790587cb11e41c448934e
-
SHA256
a292d3bcad4d1b89f818b84b070e269ed683e1f22a09209c4943c1693cb12d58
-
SHA512
ae5a0bde88ab4073f4b1e18948db6b8b1a11306ee75e072125caef5ed9641c442c73bc24dd4fa6c22b4840a42bdf48081690719d00dbcd8226f8dd35d596a44b
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-