General
-
Target
31791ad0d3707ca7ffcc7d970c9a70853fded91505dc019d7f7460a42814317e
-
Size
353KB
-
Sample
220521-n3lqnseee6
-
MD5
219b8eea3a397ce0a31333fa6bae9d46
-
SHA1
53c9b81ab30ced6032fd110374bafe42ff9a54b5
-
SHA256
31791ad0d3707ca7ffcc7d970c9a70853fded91505dc019d7f7460a42814317e
-
SHA512
9d4bd7f6f602e7165c1802c94198ed389b46090db6672abb9a3ad7fe087637230d7a1469501b07bb41e982b8aeaa022890c3fee1f3671c97496b8fbb257dba89
Static task
static1
Behavioral task
behavioral1
Sample
RFQ47692762531096734.PDF.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
cfo
onebrothkitchen.com
mayitoujiao.com
carnevilfestival.com
journalcase.com
innovatpipe.net
topratedhomeappliances.com
parsian-turkey.com
lucindabinteriors.com
sjtellor.com
spicegive.com
palcoprep.com
happy199.com
haydenwalker.com
txlvyin.com
danielmurbach.com
maisondeyul.net
teamworkalu.com
kitu.ltd
kingfisherexports.com
doggystyle-by-chloe.com
asyhheembattles.review
webuyoklahomahouse.com
munyosu.com
starhubmail.biz
wuzhenjiu.com
nexusimin.com
vocalvoluble.biz
growinclusive.com
click2orderaccounting.com
nguas.com
mariocuche.com
driverupdate.store
roamschoolers.com
leslesbiennes.com
fastbird.ltd
besotico.com
bikinhorny.men
ludasend.com
trickcomposites.com
hotelseybaplaya.com
vguifen.com
processing-secure.info
dbuithykakrb.online
undemonstrated.com
bangladubbing.com
wunuecz.com
pcrbatiment.com
sabahtabletennis.com
inbrazilliancreditcardsok.live
kennedyjking.com
texakon.com
vkq75.com
photocopie.info
nocrunchesrequired.com
elsoldeldesierto.com
learningtreechildcarecenter.com
colosseosf.com
famim-cm.com
wagnervacuum.com
baumgartensvwservice.com
natinalparks.com
3in0l1.info
flyingknee.net
tealbirding.com
porcber.com
Targets
-
-
Target
RFQ47692762531096734.PDF.exe
-
Size
629KB
-
MD5
90f4a814fbfb89fab340e578699e5c36
-
SHA1
bf152875df107a6529e8c81e753496775dcedcc0
-
SHA256
f5d46fa7215a9fbc068c2c7c49ec8156b45d6199cac87e9c08cda6647aa4517e
-
SHA512
e7044248d00e5ec4aeb821499d1398ff9c2a022f75058dcc17422ed8d4a93edfcfd9574e72e06e0215f2ae91e4a83579cc17862d05d0204eb65e4e292e29df4b
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Suspicious use of SetThreadContext
-