General
-
Target
96a45aa6b11334754407ad348675045fc8b38ee42300b1c1a1890db528c55484
-
Size
447KB
-
Sample
220521-n36qvahfhq
-
MD5
40dc6e85f87183665ea359fa7f987c4c
-
SHA1
8c486f214d8a89e02581e96cf5582214452bb750
-
SHA256
96a45aa6b11334754407ad348675045fc8b38ee42300b1c1a1890db528c55484
-
SHA512
fde19c1c7d7eb0b00335422e644db0ffcdba5612ff4edbce065e7c5454458b842721806ed3d38b9b95daa099512af35f10ca43b68a23a5d91dc48fc820af6ec7
Static task
static1
Behavioral task
behavioral1
Sample
PO589698480055.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
b5c
cyb-eight.com
preciso-de-dinheiro-urgente.com
ddanceboutique.com
workerid.com
maidsmyway.net
l5-2rich.com
lifecreatestyle.com
xn--nachschlssel-klb.com
pregallery.com
koolbeli.com
seprh.com
balootweb.com
376nvx.info
ecardrive.com
northcountysdkids.com
leminhezuoshe.com
uploadmetothe.cloud
privatepracticeangels.com
bourse-boursorama.net
amberree.com
laenq9p-dyu.com
larissapasut.com
portlandvivint.info
barqelezz.com
dingfujr.com
cheapvacaation.com
sircoloumbdesign.com
bt3737.com
revelationriders.com
daishholidays.com
faduc.com
woniu.store
0165d.com
liusjlawyer.com
autokonzept-de.com
cameocn.com
elleaholmes.com
blogtocast.com
treasure.support
visionfinancialcorp.net
praisedshoes.com
mainstreetoftexas.com
jmcp-particular.com
eretearn.com
ribory.com
idjungle.com
bbluav82.com
laurelbrooksfarm.com
spalick.com
alterragold.com
find520.net
theothernotebook.com
waterbottlegear.com
givegetswitch.net
pengyuqipei.com
bboutiq.com
lothlogistics.com
gdaxup.info
globalprogressions.com
bmwlakebluff.com
hqcjjy.com
indusfan.com
kenyaworks.com
destination.today
porcber.com
Targets
-
-
Target
PO589698480055.exe
-
Size
643KB
-
MD5
c3b570985ebb19c8b6fefc9fdaf74760
-
SHA1
bf022fee032f9911a0f87ab056e9a28571d18bdf
-
SHA256
5a67dee45b2e60de47e22739c8be8614f31cdb4acbaf554f37d06ea41ddd8762
-
SHA512
ce762bccc0d924f2bf02711ef760c00c8333afe4475b7409fa89c79bd584422436d922a9d3b5d7592212bef401b9db51a4d7280c05b68e867f402de8ce09ea9d
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-