General
-
Target
ca44d4aadf6c7f4120ab51143b5d05a46737ad470cf593c372901ca0f0ee2b2f
-
Size
354KB
-
Sample
220521-n9ewpsehb2
-
MD5
fd2402999d516ef1ae4037db15d7f75a
-
SHA1
934bb6a6460644ccf60766b6b048b54ff735be90
-
SHA256
ca44d4aadf6c7f4120ab51143b5d05a46737ad470cf593c372901ca0f0ee2b2f
-
SHA512
bc9639051edef312944ddf9327655254f3fc7b7dae7b09d936aa56b5d0076a0065224431bb0eef417c3d117285e5ddf87b63c8d8b357a553248a2050b5e3fada
Static task
static1
Behavioral task
behavioral1
Sample
PG2005005.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
ev08
elysianhomesanddesign.com
emplytics.com
rx-server.com
yunkeguanjia.com
069xke.info
xgltnpzoai.biz
vizebasvurusuislemi.com
willenochhardscape.com
luciovicencio.com
369zhangting.com
dealsamzn.com
epsilontech.net
longzhimy.com
drfenxiyi.com
perfecttiger.win
jon-lisa.com
projeen.com
tpak4.com
telurasinjulak.com
grhcew.men
demirevent.com
haisichou.com
bringwisdom.com
riyadh.school
gzmeijin.com
mtabram.net
lesbiansvid.com
partnersfinder.info
946s.com
houdaoxny.com
brinkpro.online
branchcreekoutfitters.com
xn--xhq8b70l5mk61k1yrvi5c.com
wwwwnsr108.com
neevfund.com
xaxiaobanma.com
nb-yy.net
howtobeafreak.com
qinu.ltd
bolle.network
postnlpakket2.info
leiguan88.com
cabditect.com
xiaohanlin.net
theduangjittphuket.com
abeautyfulmind.com
desheng-info.com
pickafight.email
britishral.com
ee8xhs5kxu.info
devinandcaroline.com
mysupersweet15.com
airport-parking-heathrow.info
jememedia.com
pay-number.com
cleanly.info
footatconstruction.com
yepchain.com
dinroseal.com
descubreelmundo.com
theysaycheap.com
os-sys.net
vailtrappings.com
vitaligentjobs.com
mansiobok.info
Targets
-
-
Target
PG2005005.exe
-
Size
389KB
-
MD5
3316029db1ea9e093aeb24566210e240
-
SHA1
a1dbdaa76bbc5d0617d3ac44074424316c8a5af9
-
SHA256
2ed611befc2af97a0bf7bada7f7b53d4f625f99620983252455e675d22021bc6
-
SHA512
28403a94f04b50b3c3304306706385fd573e4106a15f7d0a8f03663ae96de63f055dabb2d43823ea73297bd3df34435719326e635f110ccd6377b48efc67cc42
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-