General
-
Target
7df5e3dbbf4aba798bc3fc963731c0c6aa6645301235c72eddb8cd374265ac14
-
Size
320KB
-
Sample
220521-n5kamahgfl
-
MD5
4e57b2683adb0ff4141215d9a06bf57a
-
SHA1
dbd360c355b16913ac6ce7183073530a561263de
-
SHA256
7df5e3dbbf4aba798bc3fc963731c0c6aa6645301235c72eddb8cd374265ac14
-
SHA512
828e540db9847e40bde7921193823bf16235e8ca4dd577e733adce8081e9c83f6c024958b2daceb47169e864d1ef11445e493e3ad558c639bcc5dff76cfb04d1
Static task
static1
Behavioral task
behavioral1
Sample
130003150.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
otn
thewoodwideweb.net
broadconnectionpm.com
tuzlametro.net
vjpqdk.info
vietnamtimetravel.com
notice-close-n217.online
verif22-mail999-pymts76.com
bestgreenhouseplan.com
brangain.top
cukaapelbragg.com
stileincucina.com
veloflambe.com
virtualsupportservicesllc.com
smpl.site
mezo.ltd
incidenciasarty.com
everglamp.com
theflowerfarmplanner.com
oasis-base.net
jnrhsh.com
hostux.info
aptivauto.com
xedinl.info
newfiveflags.com
ottleyco.com
my-debtrelief.com
frantac.com
new-auto-news.com
castironcravings.com
cplusc.studio
firsteditionbooks.net
atraedinero.com
fooddeza.com
mariancolmanart.com
ats-ortho.com
kabolobari.com
otcvollar.com
dliti.com
jidanyun.com
realestatewithdawn.com
idecorados.com
czgy1991.com
moneysavingmissy.com
oderviettrung.com
szzolon.com
candycrushsaga.cloud
jmsortho.com
carebookkeeping.com
milesdavidlee.com
generallasers.com
informaticahostednp.com
paintmywedding.net
opusdentalonline-beta.com
rickramgattie.com
nbgkl.com
pjhsea.info
accuratevinylinc.com
dissedin.com
findmyticket.info
greekobsession.com
trendlong.com
tumarcaesladiferencia.com
noragamst.com
shapupu.com
regulars7.info
Targets
-
-
Target
130003150.exe
-
Size
393KB
-
MD5
4300f14f031e8a4330a8c56894b22fca
-
SHA1
b83b39f1a587ff6697c94a08da1c3db857a13a4c
-
SHA256
e65997e20f521c8eee713623c45c9600a7a05629c85d73c9dd2bdf696f43e5de
-
SHA512
572c9e11d862a28f2d8fea4c3cf62d18350d04cecff7eda36730efa593d0daf1c9fb94e15547d2e8ec1bb5736d53a3fb586f6cc22aa4c48d33ee806c9088edb9
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-