General
-
Target
1e000dc5b51b181fe54c745cdbdefc108b82e1a508a2dfb9784449d68e23f6e5
-
Size
236KB
-
Sample
220521-mmh46sfbek
-
MD5
8b181765be32aee0133933b2ac5ec658
-
SHA1
eb2d1d219a0761a3e48d72b7f68708600c206844
-
SHA256
1e000dc5b51b181fe54c745cdbdefc108b82e1a508a2dfb9784449d68e23f6e5
-
SHA512
b2344cd616cdda6592b848145552ab3c10086ce83aa22fdd92c91b484c3d66ddf13ed4e3f2075f6008dfab6127f78c7b6d55b9067d05b8ed5a68d9ce8e4678c9
Static task
static1
Behavioral task
behavioral1
Sample
Order NORM-761-0.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
mw9
ukingdeals.com
mrsstein.com
lupicious.info
alg-kuwait.com
szmlhr.com
news-hunts.com
veiculon.com
nonstops.top
kylibrary.com
thebudgetexplorers.com
okinawaryoko.com
shoecatel.com
licenogy.com
credoinnovation.com
luneandcoco.com
fashilaile.com
x9pd1e0v.biz
rucelka.com
baby-productsnews.com
trunfq1-oua.com
sabastiansstudios.com
ronmaigaofficial.com
consoletrackr.com
mymyah.com
potersewaq.com
theedunetwork.com
andeshosting.com
dome8027.com
theweinclub.com
popcenters.com
badangelstudios.com
bakalashop.com
fotc.top
wecns.com
waynemachine.net
pagalqord.com
568864.com
sehatkali.com
anganglou.com
hobartlauren.com
shoeonlinesell.com
paymantgate.com
victoryhondaofontario.com
verobeachwebsitedesigners.com
artfordays.com
theweddingbelleblog.com
inpattayanow.com
modernadventurz.com
siriore.com
juneru.com
depor.biz
gointervisa.com
startupfrontier.com
royharrington.net
nemafcu.com
hillsideeuless.com
594man.com
midnightmuseco.com
bakangroup42.com
dralavit.com
theia.photography
cjamonline.site
riverstonechurch.faith
zbswq.com
chilogae.com
Targets
-
-
Target
Order NORM-761-0.exe
-
Size
326KB
-
MD5
3c47958dceec6beac4ef5c8fddacfa22
-
SHA1
9ce83f8bd0b8ddd9e464c02993db62430851dd7f
-
SHA256
7a755f37dfb67f9ee5f00330aeb01fc6262adc740d610549dbb2ec83e99a2618
-
SHA512
043c5b3a8486357cd6ffdaba3554a0b85805e1eb2a1995fe78b216200413dc563eec67c5755998b760ec30a072cb5b12b25c4cac5104dfdaca1eda5bca4b4a4e
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-