General
-
Target
745e00e4a43761d5c4be5e29a539cda4e8ca2a45755b44e35321ced4a8d400c3
-
Size
357KB
-
Sample
220521-ne3z2sdfa5
-
MD5
669bf2619644a7990942f3c2dac81c8d
-
SHA1
e7756aba22a0ea795c51dee0a38cd9df2b58a220
-
SHA256
745e00e4a43761d5c4be5e29a539cda4e8ca2a45755b44e35321ced4a8d400c3
-
SHA512
0036a6ac06a7dc6ac4c53c1de75ddde49dd84af40666996bdd2f530f31d45394ca4f5fb5536c84a92894ed95373103571aad784ae39cbd2f2e51425789ba4142
Static task
static1
Behavioral task
behavioral1
Sample
YEw0N670fLb3Qwz.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.0
cdm
ldren.net
smtpsystem.com
elbastonazul.com
clickmailservice.com
housesearch.today
jingwei-pingtai.com
briankarenontour.com
wwwjinsha520.com
greenhouseci.net
cyberexpo.events
soundepict.com
hansardtracker.com
abenaasare.net
policemoviefestival.com
cryptocurrencyrocks.money
carliequinnesthetician.com
finestmilan.com
diclar.com
thependletonsurfclub.com
raku.party
ballooncinema.com
amazingtitute.net
sin88.biz
winclubsoccer.com
madzerini.com
vastburg.com
kameko88.com
musud.info
tdomainwithdnstherapy.com
followtrade.site
cre8yourpower.com
cmoauthority.com
southfloridaretinas.com
runningxu.com
allgoodthings50.com
craftysiblings.com
whoispornstar.com
jmp-24.com
brokeindublin.com
telokblangahclinic.com
samanthahough.com
myvelvetmoon.com
abtest.top
goglassautoglass.com
baseballbenchcoach.com
protectivedigital.com
masterplitki-pf.com
venuechicago.club
knjet.com
narvikfjelletbooking.com
jmxqdi.men
554757.top
solarmcommunitygo.com
yzxlbj.com
youatenboutique.com
pyotrilyich.com
dgpymj.com
codercoworking.com
vonwi.com
edlaserstudio.com
reviewmaylockhongkhi.net
thegoodeearth.com
sunburstclosets.com
selfservicekiosk.net
tromagy.com
Targets
-
-
Target
YEw0N670fLb3Qwz.exe
-
Size
445KB
-
MD5
767febc4e7ba132342b5271a06a370c8
-
SHA1
3997eb76ba7da530ef6624d37d6218bf89400159
-
SHA256
0b6acf8d9861c0c69b88b7a7bf1427c5245bbd968e96db1cdb08b8432442c729
-
SHA512
5d3ff4c987aa5dce84b2ef944214149a2e1723f140182331e5693fc548fbb3c6026a55dc37eeb4ccc55b1173a76c9bebf0d3d7f26179ef99583fc2abf32d5120
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-