General
-
Target
736b7cd2f4c5db0fbb9fcd8a5f7f941e83c4133ed14571d59eac5d754019aaba
-
Size
275KB
-
Sample
220521-ngys4sdfg6
-
MD5
204ad0e3f63de178838bca61f24db8a9
-
SHA1
fe188477f5f0ef144e25d0fbd3deb3a3461cbdd2
-
SHA256
736b7cd2f4c5db0fbb9fcd8a5f7f941e83c4133ed14571d59eac5d754019aaba
-
SHA512
987b08d8843c7da8043d5797b151175f8af6445ee32e9bac841efb81a6ac0bf7d6eda1bf09fcd8735c12421885ad8a4b48a2181e91cfd0d556ab57a467951aa6
Static task
static1
Behavioral task
behavioral1
Sample
invoice.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
4vx
kontinuer.com
outofthebluelove.com
docentrood.com
emowm.com
jsa862.net
kshoworld.com
kumsalkorel.com
adrigh.info
goldentrianglerv.com
youkuy.com
lindaclijsters.com
audreyfarley.com
alasitter.com
uscar-boerse.com
successwithfletch.com
474opebet.com
xjlfb.com
doingworkabroad.com
0pe864.com
ittestperfumeok.live
newfaith-ministries.com
longfellowpurebreds.com
aeroclubcrema.com
lifehandson.com
diamond-distinction.com
miaowbid.info
chicagorefinanceblog.com
news3033.com
jllsjl.com
tianshidaxue.com
wenbuwen.com
helpme.science
manulifeindonesia.online
407motorcars.com
tuneinchannel.com
chrisbuie.com
e-karta.online
haohuofenxiang.com
boav75.com
dovu.ltd
countryhomecityhome.com
klmloanservicing.com
jwxqfx.info
allaboutrosalilla.com
550315.top
giuongnguxuatkhau.com
ambassystyle.com
someron.com
ghplhose.com
blogwithapurpose.com
spermbank.men
taveon.com
danceyourability.com
chuangxingcn.com
ksvvu.win
xn--6cs32cp56d.com
tediapowell.com
avayqk.info
promotemeentertainment.com
tuhfa-gallery.com
superyachtprojectmanager.com
leisterheating.com
themercantileshop.com
youpinyoufu.com
joomlas123.com
Targets
-
-
Target
invoice.exe
-
Size
326KB
-
MD5
0060b9cfb3b239c92f18f3b1ae7d8c3c
-
SHA1
7170ef2a931341c0c4fb152c1552a5049eca68ae
-
SHA256
bb973839df53081c969a7e6647bdfc2d3090b43b496fe8e2244a51a604264112
-
SHA512
46e234941eed5120dc8fdcef173a34580c0fa0f28e8903729dec8cd22ebebbc8c489f0a10ede740a7ecd8b821fe6376e13aeb731ecad3c6e871233f155f2ceea
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-