General
-
Target
8bc47d513146ea22cbc57cf1654e5adbf2b80c17a75bc85d6cd1e7b7c389b2d6
-
Size
440KB
-
Sample
220521-net25sdeh7
-
MD5
6f1f6727c40f68d315355dc76532adcc
-
SHA1
b4a25f3f9cba688a91adf65f14fa1ea9cca50d32
-
SHA256
8bc47d513146ea22cbc57cf1654e5adbf2b80c17a75bc85d6cd1e7b7c389b2d6
-
SHA512
fe9b87464420a58ef5f6b8ac72ca9eb3ece1e90b9fb420d6f45eda9c13c1a8fa8d2b278e80c25910889d2325deb1ff43a9b67ce3a8a9ceabb4408cfdd9898a74
Static task
static1
Behavioral task
behavioral1
Sample
Procurement Agreement.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
pac
keloke.info
ourrips.net
preparedtrafficforupgrades.date
1000venetian.net
millionairethreads.com
electrosupert.com
superhero-martialarts.com
3dpersonalcare.com
simpnk.com
excelatseo.com
24bodytransformation.com
corp-service.com
baogangjc.com
lottyh.com
thenomadicempath.com
realestatespecialists.net
gurutheon.com
sswvasdc.com
ventecoiffure.com
greatbritainstampsonline.com
lsdswq.info
hotdorgs.com
formula-entertainment.co.uk
70d4l7t2oi.com
siyecaoba.com
justbreatheadvice.com
trufruits.com
wtsvuaus.com
camps.ltd
shuanghucheng.net
u-mio-paese.com
malioborocatering.com
hailizijie.com
investorito.com
thelearningboost.com
fermesdois.com
refcad.com
row-forms.com
thirteen2love.info
drhowardcweiss.com
shnabby.com
nubi2.com
indianfoodscenes.com
esenyurtasm.com
iz180.com
idweek2019.info
heesbledgman.info
avonlinesupport.com
dgcitangray.com
appbrain.cloud
smallbusinessnation.biz
nicebaging.com
memorablyjane.com
ayurbrands.com
iusnv.info
chaos-bikers.com
infojayapk.com
gihu.ltd
supercreadores.com
zhifangyiliao.com
francescasonpawtucket.com
freetrombone.com
cnbaisheng.com
ivend.online
funpexw.com
Targets
-
-
Target
Procurement Agreement.exe
-
Size
551KB
-
MD5
5619bf6aed56992a940e39c1902574ff
-
SHA1
fbd95ede3e0c607774f29ac3e275e20274338f71
-
SHA256
0ffe3a2c15dd0469d00b515316cdf09ae0e6b4dbbffe106297cf7f7d0d1b8197
-
SHA512
b2bf7a85ccc6c7b4ebf206fc39f48121fa18a8047876a5c69faaea2770fa97818632b3d641691f628cd4ba8599294037220145ed67eda127cd973dee297b99bc
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-