General
-
Target
69afd5a7f3e675cd53cbac316fba01e77db7139363e1ee916b5a740b3dea3ae9
-
Size
319KB
-
Sample
220521-n6zrpshhdn
-
MD5
698638db7a96e14eadcb84902738e496
-
SHA1
403c667e8efc4118a01719d0b159d334699aa1a9
-
SHA256
69afd5a7f3e675cd53cbac316fba01e77db7139363e1ee916b5a740b3dea3ae9
-
SHA512
96e02189037e1f03ce1c4951405dec77d86cf1630d180a12d2969df0d00aa238e7343b739b328b2af0b94d145733e63f1e94b0cff2b66e6d395c60fa14d9e912
Static task
static1
Behavioral task
behavioral1
Sample
PO #78574764 June 4-2020.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
i0qi
mytakeawaybox.com
goutaihuo.com
kuzey.site
uppertenpiercings.amsterdam
honeygrandpa.com
jenniferabramslaw.com
ncarian.com
heavilymeditatedhouston.com
gsbjyzx.com
akisanblog.com
taoyuanreed.com
jasperrvservices.com
yabbanet.com
myhealthfuldiet.com
flipdigitalcoins.com
toes.photos
shoottillyoumiss.com
maserental.com
smarteacher.net
hamdimagdeco.com
wuxifanggang.com
alamediationtraining.com
vfoe.team
kms-sp.com
gfidevfight.net
anomadbackpacker.com
21oms.us
australianseniorpreneur.com
valuereceipt.com
superbetbahis.com
rsrgoup.com
hoidonghuongkimson.com
parmedpharma.com
discoveryoverload.com
livetv247.win
jepekha.com
6o5ttvst.biz
netcorrespondents.com
cscycorp.com
emonkeygraphics.com
tillyaeva-lola.news
dgx9.com
jiucai5.com
justwoodsouthern.com
dentalexpertstraining.com
amazoncarpet.com
xsxnet.net
androidaso.com
jinhucai.com
wellnessitaly.store
clashrayalefreebies.com
wxvbill.com
quantun.network
allnaturalcbdshampton.com
mobo.technology
livinglifeawakened.com
canliarkadas.net
littlealohadaycare.com
wendyoei.com
kaz.site
puremind.info
queenscrossingneurosurgery.com
theworldexams.com
taptrips.com
joomlas123.com
Targets
-
-
Target
PO #78574764 June 4-2020.exe
-
Size
422KB
-
MD5
130322a1fd284d7d585221381038c584
-
SHA1
620933b28bb9de45a0f72a415c0bfc85efcbb442
-
SHA256
2bd1995c8c2b3f35906807ce4697151cf801af339579cd7b86e467df6474dafa
-
SHA512
3eaacdf8edd846d27059a04217540f561f8e592b537ce57412b45b67f797b7b25f8f76b7158ada512567a6f642911aa425475da656c29d7524d0995684d466d5
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-