General
-
Target
d28a86bcfc1a16880fcf3e42f04a4a840f92086ae386d180a5c22e7f354c74a3
-
Size
199KB
-
Sample
220521-nqqh4ahbdj
-
MD5
62cb528f84fda91308364f6c535f5dbc
-
SHA1
4a1f614c76bfbd52c37c5f742cf64e6c6b314f0f
-
SHA256
d28a86bcfc1a16880fcf3e42f04a4a840f92086ae386d180a5c22e7f354c74a3
-
SHA512
4929d8991a638e28ad8b2989d192c9551eb5aec46449e0963af469581f229bae54dc146bf132f3f4ec44e07b2fd3350b2833c8af0929ccfe442e1a2b482fa68b
Static task
static1
Behavioral task
behavioral1
Sample
Payment Slip.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
kfr
pensight.com
in4rac-acc3es-re7unds1.com
iznjreb.com
globalqled.com
njzscy.com
763bifa.com
coinpatent.com
tipsfoorti.com
lukusabusiness.com
tokaminerale.com
jinshavip74.com
idbcc.com
maxfacto.com
graffititheworld.com
connecticutwatercooler.com
matroofing.com
route-ceram.com
redwaterservices.com
bracifyritugupta.com
discoverfrenchtown.com
calaveraskull.com
0pe158.com
callflakes.net
exploremoreco.com
artisantilecompany.net
bestoffunmovie.info
cafecondani.com
lovelaceboutique.com
zsupplements.com
cerecaustin.com
myquiz.win
netgrowthstrategies.com
qk9four.loan
skew.market
topnotchhardwoodflooring.com
berniesofly.com
oneworldrentals.com
enradex.com
mining-journal-30.com
mylifestylebyclem.com
ecomobilecarspa.com
xarkz.info
macdesarrollos.com
1818zsw.com
cheryllovesthesun.com
431man.com
healthylifeteamonline.com
t1xh7.com
lyitrc.com
digitalassets.network
sacrificant.men
jpbtestsite20.com
doneasa.com
huntsvilleguru.com
californiaautodealerlicense.com
retireinyourstyle.com
donelis.com
jyothimusicalband.com
oracle4business.com
kingcash.money
market-play.com
permatabnet.com
majorcoding.com
zepi.ltd
howcuty.com
Targets
-
-
Target
Payment Slip.exe
-
Size
278KB
-
MD5
e2ac3d9facc2259a85c66087ff0b6a85
-
SHA1
b592f4eea4d6632f6f543c75d71c4749e8aa8b69
-
SHA256
370f3e9f42d074cd9575a0fa8df285e970dda741ae4200b54fb53f0a3145369e
-
SHA512
226bf723fc4094cf2ac6ca74ff9fdefc0daebe90de2d905b0b9c7acae8c9d3e3956c17f1df80d736bb2bae094d075d307c05534485eae6c51575b2939261ae4c
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Suspicious use of SetThreadContext
-