General
-
Target
7c469d13d8d1bee81f06aa095e9a1c8e9bb2f462c0d0510821aae248e4ad3fa9
-
Size
493KB
-
Sample
220521-nrz4xseaf6
-
MD5
3e1c55fb03d43b2ba561d18d1ef9eb4c
-
SHA1
6374d7ba09d624ca5190921620dfb47aca0361e6
-
SHA256
7c469d13d8d1bee81f06aa095e9a1c8e9bb2f462c0d0510821aae248e4ad3fa9
-
SHA512
81a7ca9ce38120bb4c4c26793a7fcfe435978dc01d087769e934a0e3ca70f445a358b8a0c2de9f794ac653933adda4e56c9eaf170c5ff7f2348c1c894ed9da48
Static task
static1
Behavioral task
behavioral1
Sample
Astrak Ireland.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
tef
revolutionaryatthirty.com
archangeltmr.com
110439.info
antarcticvanity.com
facebookmarketplaceimport.com
actibion.com
reallylala.com
stylishbeans.com
sunsethillliving.com
kanbanskills.com
wjxsbszp.com
progettomx.com
visitnaplesgolf.com
consultingwithgt.com
hookthedeals.com
7solarseas.info
perfectformoms.com
studentsforabetterworld.com
zanjv.info
onlineorderpk.com
net-tourism.com
haobjkj.com
lorem.digital
avdhootenterprises.com
hbcupops.com
tt1558.com
bulashopus.com
hiring-now.net
cryptomaniaindex.com
jsliv.info
maiwb.com
celticfudgery.com
jointventurementors.com
tolerfinancial.com
refingen.com
teedmj.com
ilovecatalonia.info
bixlajtwoseaters.review
wireformationtechnologies.com
detailedu.com
fuckmy9to5.com
uberenparticipacion.com
rupee.store
onlinekharisma.com
inbuonemani.tech
ashoksoota.com
stirlingpiper.com
siyuda.com
colormartvietnam.com
punnyfitnessshirts.com
883mm.com
tungtat-health.com
celltipsfree.info
lakeplacidstore.com
liangshengjiaju.com
addleo.com
bici.ltd
skypharmacyrx2017.com
danishfarm.com
latebloomerspc.com
wayeleven.com
sladenidu.com
sunsocietyus.com
hotorgsterrassen.com
regulars7.info
Targets
-
-
Target
Astrak Ireland.exe
-
Size
660KB
-
MD5
ad847505a30e1ca3b19c648c2e2fef3d
-
SHA1
f9c313ce7ca94bfb909cf3c93574e273a997ae98
-
SHA256
ad0c0d03282b4abf01f435f798fbb71d0243714518f265fc8f102f909822e671
-
SHA512
31fb21148a8f5010df7c0c2a3691edfc373ab6ff2241b44d0b7dcfe0774e5d21bcd7748b02506c04164593ad4808f7bd38e41cb60cd24fb048521a6dff08b7fe
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-