General
-
Target
3c02bb7b44aed296562d9cd1b8a999438ebe46129a9a9eed79dc6e86a1581048
-
Size
536KB
-
Sample
220521-my7lxafhap
-
MD5
44255c749cdfe1ab1d9a0c7a8d7826e6
-
SHA1
761811c8c2a6522a740ef26b53a358f6c5e0edcf
-
SHA256
3c02bb7b44aed296562d9cd1b8a999438ebe46129a9a9eed79dc6e86a1581048
-
SHA512
606766fb3ad926e18c69dca2b68ad71f1f61e0b66427ed7f0de0b1e2103b4e8b96297b840213252bb611059390a11e8b3ba62cb0d086281e0ed0d45dd690bc61
Static task
static1
Behavioral task
behavioral1
Sample
R220917549.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
crt
breyononline.com
bruczko.com
5150pe.com
baltonol.com
turlkeybellflowers.com
redoxparcaitalyopposites.win
greenbox.store
aftoes.com
balipotret.com
wolfgate.pictures
330121.com
artofreggae.com
sharing-hands.info
qqdada.com
amzbeast.com
qingtaitalk.com
eldridgebrook.com
yuanyuanjuan.com
cincysteamspecialist.com
kentputtingacademy.com
woodlawnsportscomplex.com
wemissyounikki.com
small-batch.coffee
xtaac.info
komaguru.com
tinaroolakesresort.com
heiss-auf-karotte.com
keyporttelevision.com
romakidstours.com
mileneko.com
mushangec.com
accolaparkserpong.com
louzanboutique.com
thetrailshed.com
domicil24.com
wvoaradio.net
deliverables.online
wwwwnsr5544.com
dentassistant.com
midnighttalesfromthebluff.city
fyitaunton.net
iyan4life.com
shmla.com
hhzlian.com
enlivenonline.com
iktel.com
cayyoluhaliyikamaci.com
frozcrypt.com
kilianschrenk.com
marksclips.com
cassandraandnick.com
djservices.info
kendyllmaddisyn.com
stockniu.com
cryptonewsdepot.com
ho1acloud.com
franklindui.lawyer
karengkaufman.com
hfhymm.com
logods.com
losangelesphotographer.net
daocookie.com
docupeer.com
luwih.com
godhep.com
Targets
-
-
Target
R220917549.exe
-
Size
923KB
-
MD5
65e707bd6d53922eed2f27b35bd5355a
-
SHA1
8e2cb2687357567045584ed5cb36c11cc928f4a4
-
SHA256
ca2474c82643817c50106479f991ae282b9bb24fde98721dc5f99fe9a5eb3300
-
SHA512
606f8a9fab4b19fc43ed233f62fcefc3758e1e8fd6358b9fecbd8a3e3a43027ddded905ad2fc185eec7c3e14c1ad563ce007cb35f61797846807757b2ac1447a
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-