General
-
Target
f02b9aaeb8bb7359fdd8fc85f693292d863a481eea4213e066661a35c52087fe
-
Size
1.2MB
-
Sample
220521-ngx7ksghar
-
MD5
3a544925245ef4452fbd234d2e2817eb
-
SHA1
35c5bf53af4d0b78b9f9b0c0072fb81143669bdc
-
SHA256
f02b9aaeb8bb7359fdd8fc85f693292d863a481eea4213e066661a35c52087fe
-
SHA512
ff9aa549e64b7ccff0c7f38109c32e0e37acdf280214c581c7f0fc754fcec8d93dacc76b290e3cb117482fbde90de34245ecc657421fe73b3c92152acad35801
Static task
static1
Behavioral task
behavioral1
Sample
PO_CS009.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
q5e
2177.ltd
thanxiety.com
max-width.com
fixti.net
mostmaj.com
mobilteknolojiuzmani.com
historyannals.com
wheelchairmotion.com
mossandmoonstonestudio.com
kastellifournis.com
axokey.net
peekl.com
metsteeshirt.com
abcfinancial-inc.com
btxrsp.com
amydh.com
ccoauthority.com
lumacorretora.com
kimfelixrealtor.com
iconext.biz
giftstgg.com
imonsanto.com
invoicefor.com
qfhxlw.com
wsykyy.com
gladius.network
peliculaslatino.online
timookflour.com
gxkuangjian.com
utvklj.men
rabota-v-avon.online
sheashealingway.com
thoitrangaoda.com
rytechweb.com
circuit69.com
crowd-design.biz
carosiandrhee.com
778d88.com
calvinkl.com
cjkit.com
jgkwhgxe.com
sanitascuadromedico.com
mellorangello.com
whiteinnocence.com
medtechdesignstudio.net
nurturingskin.com
guardyourweb.net
juw2017.com
jnheroes.com
damicosoftwaresystems.com
gesband.com
onwardsandupwards.info
gopropackaging.com
centerforaunts.com
sarrahshewdesign.com
intelligentcoach.net
iasisf.agency
products-news.com
calvinspring.com
100zan.site
9mahina.com
saleaustralianboots.com
floatinginfotech.com
calcinoneweek.com
yofdyk.com
Targets
-
-
Target
PO_CS009.EXE
-
Size
362KB
-
MD5
08b794da39ef13910c12b15e072c1edd
-
SHA1
b0e926330b4b67e823c2a12e9b8fa789a1b9291f
-
SHA256
4092b0f7ea14add16e6f6f35071b074458a19d4550af50a80ed5742cc7046568
-
SHA512
97822a1eb2197352f67037ec6b3c6cf8b0a54ebac288f84d3a254d1b1af2c53e2a5db4e3a13e91df80d4ce127a033485915e01f47fa0ecd6edd0d778655a0156
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-