General
-
Target
4c004822cd78deb55cf3ed841a087538288bb3ec95558ef0e2b5d644c98613b1
-
Size
310KB
-
Sample
220521-n8kessegf9
-
MD5
0a20f8f392937693b8b163fc958b7cbf
-
SHA1
3f5d01ae44674d52190736fea15a574a3a174656
-
SHA256
4c004822cd78deb55cf3ed841a087538288bb3ec95558ef0e2b5d644c98613b1
-
SHA512
c9e7829f69a54338f63dc493e68ef5640d450c18baa1e21686a1868680a3a7a6eac9900ad341233f2312dab02306661c624cd859249cb177536ff363cd1ad461
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order.pdf.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
4vx
kontinuer.com
outofthebluelove.com
docentrood.com
emowm.com
jsa862.net
kshoworld.com
kumsalkorel.com
adrigh.info
goldentrianglerv.com
youkuy.com
lindaclijsters.com
audreyfarley.com
alasitter.com
uscar-boerse.com
successwithfletch.com
474opebet.com
xjlfb.com
doingworkabroad.com
0pe864.com
ittestperfumeok.live
newfaith-ministries.com
longfellowpurebreds.com
aeroclubcrema.com
lifehandson.com
diamond-distinction.com
miaowbid.info
chicagorefinanceblog.com
news3033.com
jllsjl.com
tianshidaxue.com
wenbuwen.com
helpme.science
manulifeindonesia.online
407motorcars.com
tuneinchannel.com
chrisbuie.com
e-karta.online
haohuofenxiang.com
boav75.com
dovu.ltd
countryhomecityhome.com
klmloanservicing.com
jwxqfx.info
allaboutrosalilla.com
550315.top
giuongnguxuatkhau.com
ambassystyle.com
someron.com
ghplhose.com
blogwithapurpose.com
spermbank.men
taveon.com
danceyourability.com
chuangxingcn.com
ksvvu.win
xn--6cs32cp56d.com
tediapowell.com
avayqk.info
promotemeentertainment.com
tuhfa-gallery.com
superyachtprojectmanager.com
leisterheating.com
themercantileshop.com
youpinyoufu.com
joomlas123.com
Targets
-
-
Target
Purchase Order.pdf.exe
-
Size
385KB
-
MD5
00d7241de149d6511579e6d5ad7974ec
-
SHA1
0257125b4e77f3dffeb21709a39668115015c0b8
-
SHA256
575cd2d06aa99a48ed59b412bb87aba3b3e3cd66093c7f9efd118bf533032ba3
-
SHA512
bfad300716c91bc0559d0f4cb16e361e39646b67d2651a50e67415ba7a28daf687310bdfb3dca6d2113c7c3fc6f5077921c4949a692fbcf62c703cd675921450
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-