General
-
Target
923cdb496689db82509ef78fdd3cebaa75e1590475693383570c20457929c3dd
-
Size
198KB
-
Sample
220521-mmglcacad3
-
MD5
55a381cffe215a75123e8f36863ae53d
-
SHA1
d2c0f0cd5226c04fc5b60e491f65620341ceeb36
-
SHA256
923cdb496689db82509ef78fdd3cebaa75e1590475693383570c20457929c3dd
-
SHA512
6d5f3c3fc4d7f97e475650cc7c3ed1df8ec81a4c28c846e7f043bfbb7c63b62636de1f0696bd91c749a0c4d9f6f10a37b1cd97830b1e2c48bbe6f960453ac2fe
Static task
static1
Behavioral task
behavioral1
Sample
HSBC Beneficiary Payments Advice.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.0
lgm
somethingspecial.net
brickmachineequipment.com
asapprintingsales.com
wbmason.jobs
acu.ink
santandier.com
theboxofficemovies.com
tv16507.info
richardzacur.com
eurosevi.com
reformasydecoracionesrian.com
1x1zeroautumn.men
peipw.com
wurzburg.city
kidstoyscheap.com
star-pump.com
mimarsinanresidence.com
indoorgolfschool.com
livinitwithlou.net
cailiaowenda.com
bxjlb.net
copper.gallery
cqwcqj.com
rimrockassociation.com
vaporetahendaye.com
aftermarket-car-parts.site
vistaroadhouse.com
magicbyenigma.com
canadagoosesoldes.com
pvspineandsports.net
basecampwares.com
cindybelay.com
shawnshan.com
servaroo.net
uyjm9n.com
liuhe039.com
packlava.com
jshy0f.info
cdhbsrwj.com
nihonwookuru-entry.com
almaflowershop.com
slepret.com
victoriannescreation.com
ldzmq.loan
zenmolly.com
igftxe.com
szhlqjj.com
happily-ever-ansebo.com
alkos.link
kreationseventdesign.com
diezynueveinmobiliaria.com
goldmen-suites.com
evelynehairdresser.com
themoroccomarket.com
justinlee.solutions
getthelaugh.com
revestquartzo.com
intelligentinternet.info
itsfauxreal.com
reconditioninghumanity.com
islamkarimov.today
lelakiidaman.com
loubano.com
spargeorgia.com
vinoblay.com
Targets
-
-
Target
HSBC Beneficiary Payments Advice.exe
-
Size
350KB
-
MD5
284711c4fcb079feaedf50fe4083871d
-
SHA1
d3139e234e220719545cd01228816c90526dc167
-
SHA256
b57c9384280389b262d09cb4fa5b5465aadd4aaba2afb6d48c5d6e7c3f8d923e
-
SHA512
30d344472900a40fb08c0e5407c032de16fd083e5b59780e1f63e542caded8d1e2c36c991b4d8dbe302e6fba9745d7488c27cd29e356bd92f273494d2a05e756
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-