General
-
Target
5137d8d8948d56882e128735f0ad7ae812700cb3a3aad8778c68196657d094a5
-
Size
256KB
-
Sample
220521-nslb6aeag6
-
MD5
620d3545a4f093b696e3653d26f2b1fc
-
SHA1
2991504082225cd60b25ad25c2113a3088a37d5d
-
SHA256
5137d8d8948d56882e128735f0ad7ae812700cb3a3aad8778c68196657d094a5
-
SHA512
a3e354171fd221bd4138edd4cb1702b161ed7024b10e164baa88d089abcc9ab3f7d5b7f06b1eabfe7316de9dd13e55493af228bc3df19c1c72080fb4f49cf9a8
Static task
static1
Behavioral task
behavioral1
Sample
017-08.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
dmr
thietkewebngay.com
fdgre.com
silverbuzzer.com
d55105.com
ccc693.com
diptya.net
oleasalon.com
vjvtjkic.biz
edmsociety.com
siyahmaske.win
lmnp-occasion.com
platocosmos.com
fakua.top
albertabarricade.com
kakaninrecipes.com
bestsmokeapp.com
hotelsitaly.online
brewtopiaapp.com
1q1twoother.men
wwwmaharashtratimes.com
daskfjsdkxc.com
duplex-id.com
ppobku.com
swiyke.download
chicagolandfamilylaw.com
fantiaodan.com
lety-club.com
boredofbooze.com
sunlivetv.com
brooke-and-josh.com
thewritesteps.com
german-sniper.com
shiltawi.com
aracaju.online
amyhdia.com
guitronwedding.com
woofoody.com
imagingnetworkri.net
cheztour.com
salesmako.com
polso-indo.com
jq58tz.com
feathergoddess.com
my-havas.com
saledicomacchio.com
cleapeed.com
servicefirstsvc.com
vakkeel.net
molliegold.com
reminder-con.com
greenleap.men
agasy.net
easyants.com
marxedthelabel.com
discoverfanfiction.com
castlemanage.com
dhzzyy.net
rooster-money.com
125lembi.com
rhineze.com
donebymidnight.com
lzjpg.com
seattletowncarservicellc.com
medef-accelerateur.com
funpexw.com
Targets
-
-
Target
017-08.exe
-
Size
524KB
-
MD5
cf1749c2777e77ea56d55148cf96f939
-
SHA1
d773b5765fea2e2ccc65a1b3cdce92acbf111796
-
SHA256
8e2f9a1b23ade94b0803ea57ac92e916daad73d760f075fed8f1443715104531
-
SHA512
9218ad6ac387daed149ccbb4824cb25e67b307fd7e4eb1bb8872da2181039a057bf6bd134247b1bcca2c75f9f8d035def9fabfa12e9624692b929f28eb95e511
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-