General
-
Target
3fbb47e7bc46a3d84ecaaf0746ef0bd241c3b82c035d83c5d7601b82fd7d7479
-
Size
222KB
-
Sample
220521-nsw4naeah6
-
MD5
8463509e179f09ddf02a58e1f0e8c8da
-
SHA1
c65de66ac67174e28f241b081beb48698b57a44c
-
SHA256
3fbb47e7bc46a3d84ecaaf0746ef0bd241c3b82c035d83c5d7601b82fd7d7479
-
SHA512
6c41af7fca741efb4fff50cd3b4689fc80cf194f58df76680c71c2cd4d30da6dc32944001649560d52a59512b2c2a5231bfb4190f65e489b6e5e71ec57ee509a
Static task
static1
Behavioral task
behavioral1
Sample
CONTRACTS.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
nfl
giacamp.net
qb51.party
mashalevine.com
russiasexdating.com
jitangyy.com
morockin.com
karoreiss.com
tractionhero.today
bienvenueenprovence.net
stormharbour.info
61999h.com
tryandcert.com
bestwaytosuccess.com
laobaochang.com
otomatiktente.com
rehpb.info
ivpdqb.info
dc-wv-wv-ie-q.com
goingmagic.com
cimachain.com
northernengage360.com
wastewatertreatment.systems
coinopy.com
shoudami.com
mobilbahis.world
qshkr.com
okccashforhouses.com
mattressesspot.com
fyou168.com
131bb6.com
browserangel.net
transliberte.com
bakir-sulfat.net
rossilawfirmny.com
timothy-kwan.com
sdhtxj.com
affluenttoronto.com
profile-lord.date
77eb0l.faith
worldcup.city
nytimesnews.net
sarahdigiulio.com
343manbet.com
archeryunion.com
bullitshield.com
wzhan.ink
thehamzas.info
fyrwrk.net
klassy-kinks.com
bolttorquechart.com
willingcake.com
mohameddarbal.com
e-chicha.com
healthyperfection.com
steklonti.com
beauxtaylor.com
186524.com
libertybarracks.com
urban-compositions.com
michaeljlee.net
planovafg1.com
merrint.com
416thencomassn.com
xn--2j1b95kqybe0ioxir3sl4c.com
salomdy.com
Targets
-
-
Target
CONTRACTS.exe
-
Size
329KB
-
MD5
cde2c4c399ad674bdc2a8e0d055ce60c
-
SHA1
5393cf369b6a3577c195339680f97eac0d7248aa
-
SHA256
8efac0f1a783fbe5627c1fca4c211583bf045bd5671d89df9418220d66078c11
-
SHA512
b999661383669b0225187bd99dc5b4692ef4250a913b95a8e1900eb66b54f14e705de5e462e72551da6c66f004dd534df15c7ab47c735ae48bb5adc515e41a72
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Suspicious use of SetThreadContext
-