General
-
Target
140ba6dbcbab0fe400ffb839ddf99ee72a7670f81651fefa4e431da69cbdf1b3
-
Size
308KB
-
Sample
220521-ntfhashbhj
-
MD5
969fa6c3c9ed8d2070588778d015a9c3
-
SHA1
90e5cfd30825a9905aa7e89a6cbb5c8825e23aab
-
SHA256
140ba6dbcbab0fe400ffb839ddf99ee72a7670f81651fefa4e431da69cbdf1b3
-
SHA512
399525ab9c6e8040d583c5d22799b5280ed8e854d9151f6cfa680dfdbef671d3d3bfd87f35948ee46853f46dfb15b2d41eec8a0afd7f3c4bfc9fcfe9f0e9e971
Static task
static1
Behavioral task
behavioral1
Sample
DHL Express Shipment Confirmation.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
aueq
dewitts.sex
e24b.com
wcond.info
cqycmy.com
pengchengshiye.com
putasmx.com
1e3ten.loan
rnapfrepr.com
exotic-go.com
ogioalpha.com
hsksoft.com
hsjr-media.com
h0a4c6qojbz.biz
shiftopinion.net
subbedepisodes.com
avrv-xjmw-22s-y9.com
europeanmerfest.com
jenniemd.info
gototop.info
shoprachelmonica.com
dongphucmax.com
makrobet677.com
bmiaoii.top
1024cccu.info
landiphoto.com
lengden.com
scbmdjc.net
redneckspices.com
indianoceanweather.com
110ope.com
paradiselifestylebrands.com
am-cc.com
mattbaysinger.net
graduateandgrow.com
homebasedscrapbooker.com
www856074.com
gemsofthecrown.com
xdevilaudio.com
thesuso.com
pmgnnl.info
oy-em.com
strang3rz.com
makrobet134.com
weallintledu.com
webmail-managerupgrade.com
tiexiancao.com
audra.city
paulsturmanphotography.com
elisabethnorcliffe.com
butlersempire.com
direvan.com
meva2020.com
lunanguyen.com
pjreynoldsphotography.com
speechhenry.win
960482.com
yetiassassin.com
whitehorsewood.com
plantvilleaventure.com
playfulpupscolumbus.com
cpr45n.link
northwestjetting.com
inventorsbitcoin.com
songxiaoliu.top
regulars7.info
Targets
-
-
Target
DHL Express Shipment Confirmation.exe
-
Size
394KB
-
MD5
18c2a768940bd8c992818f2c39243a0d
-
SHA1
1542dd490ae68f029f4f98d1156926a67730e93a
-
SHA256
c8cef19967cb820d5e92f85a17ebf98f631de62c9760b1eb1a790cb25961e356
-
SHA512
ac516f7abf1eed59468c69ceba42541b28baa27c3c88fd244de92564ff806641e505605641f357c816978878699420152f58ca71caf0a673ba8c106b513584fc
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-