General
-
Target
830100a3246670a17c2e0c4efe473210d9d31dc90bb3e7c1aee8a0039d63641d
-
Size
263KB
-
Sample
220521-n782rshhhr
-
MD5
50674b8ec7d78ac6cb23769c195413ef
-
SHA1
b01441c9cb97a6f46a626b5f4dd6d3642cd5e973
-
SHA256
830100a3246670a17c2e0c4efe473210d9d31dc90bb3e7c1aee8a0039d63641d
-
SHA512
44120d6a8f1954903ab7b4a56230612d68a05d14cbe30cc1b94d5ce87e5219ef8801bf0c95245d51b367c081195359e74ab9fc19b43c0793734eed93405aadf1
Behavioral task
behavioral1
Sample
RFQ REF #208056_pdf.exe
Resource
win7-20220414-en
Malware Config
Extracted
netwire
185.234.216.161:4017
-
activex_autorun
false
- activex_key
-
copy_executable
false
-
delete_original
false
-
host_id
HostId-%Rand%
- install_path
-
keylogger_dir
%AppData%\Logs\
-
lock_executable
false
-
mutex
fplGYvgE
-
offline_keylogger
true
-
password
Pa$$word
-
registry_autorun
false
- startup_name
-
use_mutex
true
Extracted
formbook
3.9
jb9
cloud-medical.com
maximtech-bd.com
3d-sprint.com
624vhw.info
nexdesk.net
flxcustomsigns.com
gvuzejobxa.info
xiaobaokm.com
565mt.com
servicioscuery.com
500360.biz
stephanieshermanart.com
boozebird.com
merckcousa.com
frenchkissldn.com
lucyfaulknerllc.com
egekartus.com
bookyabber.com
cardiacimaginginpractice.com
deucessound.com
loveyourlimitsyoga.com
sadort.com
pegangbola.com
smxjsy.com
grpchicago.com
utahofficeforvictimsofcrime.com
msgbm.loan
thebiggestapp4upgrade.date
cveew.info
2nfy.com
qingbeirenedu.com
freedietitian.com
alexisfisio.com
daymdesign.com
codingplato.com
portatilespc.com
hzdyfy.com
hichamsabia.com
cremagoji.info
prorea.net
gppz111.com
bestlunchinbendoregon.info
goodfeli.com
halcyonessentialsdev.com
mossbaby.com
changeseffect.com
lifefocusadvisors.net
kelebektv.com
sentinelridgeatmtsi.net
rebeccawelford.com
cutandwin.com
eliosretreats.com
sermarineshippng.com
helenamthouses.com
thesheriffmuirinn.scot
hy030.com
seolink.studio
trendingonskysports.com
bilgiburger.com
firegearunlimited.com
makler-gesucht.com
sdhaozhi.com
mightyfootball.com
device-kyoto.com
cervox.com
Targets
-
-
Target
RFQ REF #208056_pdf.exe
-
Size
728KB
-
MD5
f3b1f1b9b303a7a50481a0acd5aee6ac
-
SHA1
c50dd6f9de9bcb477f8fed61eb706a71ed8a7522
-
SHA256
0c91c97182b3f1389437d15ff6aaa935156fc5ecc1c71c5588c0d831943acf4e
-
SHA512
68f469f626b423d20b4103f4ea23fc875c286df57a157302144aaf15310802f5dad06d1d370b50181a5c52e68301ef74c0fab92575ea4061b7b3c0ad196365c1
-
NetWire RAT payload
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-