General
-
Target
2dc6b9f586ff80b1406ede3039c09d7f0d78affc67bf7397da9ebad5f93bf25f
-
Size
453KB
-
Sample
220521-nb7ttsgeeq
-
MD5
0129f769ff92a529d5b91d24ead08103
-
SHA1
d09dbdd4eaafa8150e6ce815eea950fd5c1c3828
-
SHA256
2dc6b9f586ff80b1406ede3039c09d7f0d78affc67bf7397da9ebad5f93bf25f
-
SHA512
38d65d94d5fa4acb3608de4f23d031384b3b637a6eca6ffa73df61b0e756770e58ca83e96ebee21237f7ebd6dccd78524a555a55fe5fce1d9632afbad10748e1
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order#78578333.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
9pc
robertmeachem17.com
xn--31-hy1k.com
flip-master.com
gush-silver.com
spiritualbootcamp.com
office-break.com
microbusinessaire.com
netfirmsonline.com
529apj.info
sharezb.com
mybossisanasshole.life
sfsecurity.solutions
charleyaz.com
chicagocubaconference.info
leonardhonsignature.com
stanchroickeec.win
hbflbwb.com
vzkkl.loan
mylinkthai.com
ustadweb.com
bjkorea-s.com
doutorsolucoes.com
banglafashionbd.com
yuezhenwang.com
vipgiftby.online
galaxylasers.com
chnmeisu.com
soldier-readiness.com
guzbdo.men
crafterscompaion.com
professionalnij-massazh.com
metamorphosisintministries.com
arecastudios.net
wwwcn6333.com
vincity-newsaigon.net
ttsounddoctrine.com
ovwlgm.com
collierbots.com
religionisfake.com
shengdijia.net
diymodify.com
rivercityword.com
pornohublove.com
rukubon.com
tcdqnlw.com
lwxrmmipzplicatures.review
thuviencobac.net
tehranservis.com
wwwwnsr9977.com
seelenpfluecker.com
dreisamwerk.com
citieslights.com
esohot.com
flatheadcherries.farm
mediawit.net
christinasutrov.com
sakeofjapan.com
trabaon.com
meixiulai.com
marthapullenco.com
firmaraoke.com
birdsongnatives.com
eventosenoferta.com
stinemor.com
chemoly.com
Targets
-
-
Target
Purchase Order#78578333.exe
-
Size
633KB
-
MD5
d14a1e5b0ed956c11ecbf73a5d5b672f
-
SHA1
c5bedf2c0dee05a8059c2027f906a78b156d2e85
-
SHA256
ebe0cdaa9294178232eafaf33f700297252b612183da9db1b2b5c9cd9907089a
-
SHA512
f6aad6af40c540a91d3dd5357f02afda0f569dea43816c716e728003ddc9844262fd42081bd580589eca0b2b0a65c0a9183d565e3c63fff443ab07460012d1e4
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-