General
-
Target
a80f0dc7d78c856762061e22220dfe00573b8fa65eea987efe3dc8f7433b15bf
-
Size
202KB
-
Sample
220521-nrf12shbdr
-
MD5
0f1836a97f8fd8b15987266f6a59cdbc
-
SHA1
171f6d5d9bc82351fa672e107b40aa902e660109
-
SHA256
a80f0dc7d78c856762061e22220dfe00573b8fa65eea987efe3dc8f7433b15bf
-
SHA512
e27741559932cd868455275305d982f8ea448becfb2bcc42c603725832d279577ad7c469ffdaef3cd58680868e8b86d85a9765442da35df21b1c4130ccefb9e2
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
nbc
cargopower-tyre.com
blackworldbiz.com
pottedtreebooks.com
redlinefanatics.online
service-fee.info
greenlightcfo.com
mypetlink.pet
carewil.com
vippontooncharters.com
zxpcapital.com
dvdgfilms.com
worldsbestduchesses.com
testgoods.top
fujiyoshisougou.com
gage-consulting.com
yifangxuetang.net
imedialog.com
consinfotech.com
lorienttrading.com
ola-tienda.com
evolutionhealth.care
ylsmu.com
rbljrlive-events.com
anhaenger.center
africaplynx.com
globalmedical.solutions
wishesonlinedating.singles
chazufang.net
sharenoe.com
wbgpld.men
cinderellatv.com
jh-straw.com
csdhgd.com
bhintara.com
dimlau.com
nbtrf.com
jaujqfg.com
americantrackservices.com
wwwswty5566.com
on300.info
timberlandolcson.com
connect-online-salon.net
creditcardvisado.com
xn--uiru7lj8izzeso1f.com
invisalign-cardiff.com
kontolsecure9.com
barcinojuridic.info
lumediadesign.com
xfavav.com
yachtinthewind.com
projerd.net
findnearbyplumber.com
myfsiemensbenefits.com
designerforuibags.com
howardprecision.info
greenlawnrvlockbourneoffers.com
vulcanopci.com
naturespik.com
providence-produce.com
coloriing.com
hungthinh-bds.com
ohllt.info
sexyfilmess.online
heropix.net
patlod.com
Targets
-
-
Target
Quotation.exe
-
Size
267KB
-
MD5
1f2e931a76dbfac440c933b05a2c8e03
-
SHA1
5a88cfede5d282779cd290241d00be1012967c1f
-
SHA256
e8edf009c1c82f348ad925f7f9a34b4f241d52240c6cb43ab4536c4b363d5322
-
SHA512
36d3fe9e87a96782c6444bdad565c3abee88c17905fe8ab8213b33d2af44c48b4dc2b2582f371e897978893b271161c7d0f8b975057038cdc02f589529e31c9b
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-