General
-
Target
b64040919a8c9500cae6c10c5d05fd697e17bcb79a730e754fc2f6381e8620be
-
Size
640KB
-
Sample
220521-n1jhjahegn
-
MD5
6a1e13ee75c68d0a0f10aa275859463f
-
SHA1
d1d901fa39a9d23d9ef3e431e367f37568fb74e7
-
SHA256
b64040919a8c9500cae6c10c5d05fd697e17bcb79a730e754fc2f6381e8620be
-
SHA512
6712f31f8c101c155632581c3c9faf71d98099e7c4d9aab4878590f178974622a5dd8ac41cbccaa52504a3da42999e4edb3fd31ddd4da99596094629ebd3fce3
Static task
static1
Behavioral task
behavioral1
Sample
MV TBN -Specification and PL-DOCX.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
hm2
vodu.ltd
arauderghem.net
bluebackpage.com
cheapairmaxsaleclearance.com
soldiersofarts.com
fbservice.info
x9e7x7.info
davidhenkel.com
plantrak.net
66sbleiv.com
cartierringprice.com
roupeiroblog.com
thxcn.com
baboondynasty.win
thecloudm.com
everythingreviews.net
zimmermansales.net
movie.kitchen
im.help
geebzor.com
quanbaodao.com
kasalogistics.com
comomanteracasaarrumada.biz
hhmeitu.com
goodlookbook.net
genuineworldkw.com
safetraffic4upgrades.date
bbgan21.com
goldamerican.info
gotoinfo.company
courtneyraestyles.com
kushyp.com
trendzspot.com
klmdzch.com
noridabio.com
gemilangnusantara.com
evethaber.com
activehealth.online
24cassinhill.com
uniquecustomkreationz.com
arte-enlevo.com
kaphanfoundation.net
luciagiacomin.com
4444677.com
ink4speed.com
advisemi.com
wildlife-botanicals.com
islandviewantigua.com
millerwolfdental.com
testci20190225031512.com
lucyble.com
elitlazer.com
applyforpermit.com
jinshavip74.com
xdxty.com
thedragon.tech
independentdvm.com
afm-alliance.com
freelanceti.com
enemacookbook.com
starvingartistconference.com
xn--zovsa0670a.com
zuhao91.com
toprenovation101.com
nyoxibwer.com
Targets
-
-
Target
MV TBN -Specification and PL-DOCX.exe
-
Size
1.1MB
-
MD5
03f9ffea8cc879ec181c918152814554
-
SHA1
b778b6ef1adf0eeb945b762a2ac99c893e5be5de
-
SHA256
bca55e158b112f5d776f4402d48cdfaf5ae42b4d8f2e063ac69ba2405bfcc60a
-
SHA512
642843897a84e82491cfa93f430490e9dcf83622c2c344c4c56f15920081665e716c4771f055aafb3b232ad887242ef0ef0785d1ee97b64efda3360b9f5b1e35
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-