General
-
Target
f613838bee52f12dbcb75ec0e0df49976588c4ad55324e546c1a1bf9b3f0c8c3
-
Size
392KB
-
Sample
220521-nzsd2shedq
-
MD5
8d5e94307d0d2f5c013a918281c57483
-
SHA1
3fe6317de58a5f9843cf7bf697b0523a34e493a2
-
SHA256
f613838bee52f12dbcb75ec0e0df49976588c4ad55324e546c1a1bf9b3f0c8c3
-
SHA512
5f2f0f0bca61103d03c575ddfb768c11d93d5fb59c68e48d003f88207db3ce90180f05c1340ee40d246c8109351fa0e91ef0f7c119492d1e4ca73f7008e2ee46
Static task
static1
Behavioral task
behavioral1
Sample
PO 31287.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.0
w9z
crazzysex.com
hanferd.com
gteesrd.com
bayfrontbabyplace.com
jicuiquan.net
relationshiplink.net
ohchacyberphoto.com
kauegimenes.com
powerful-seldom.com
ketotoken.com
make-money-online-success.com
redgoldcollection.com
hannan-football.com
hamptondc.com
vllii.com
aa8520.com
platform35markethall.com
larozeimmo.com
oligopoly.net
llhak.info
fisioservice.com
tesla-magnumopus.com
cocodrilodigital.com
pinegrovesg.com
traveladventureswithme.com
hebitaixin.com
golphysi.com
gayjeans.com
quickhire.expert
randomviews1.com
eatatnobu.com
topmabati.com
mediaupside.com
spillerakademi.com
thebowtie.store
sensomaticloadcell.com
turismodemadrid.net
yuhe89.com
wernerkrug.com
cdpogo.net
dannynhois.com
realestatestructureddata.com
matewhereareyou.net
laimeibei.ltd
sw328.com
lmwworks.net
xtremefish.com
tonerias.com
dsooneclinicianexpert.com
281clara.com
smmcommunity.net
dreamneeds.info
twocraft.com
yasasiite.salon
advk8qi.top
drabist.com
europartnersplus.com
saltbgone.com
teslaoceanic.info
bestmedicationstore.com
buynewcartab.live
prospect.money
viebrocks.com
transportationhappy.com
worstig.com
Targets
-
-
Target
PO 31287.exe
-
Size
713KB
-
MD5
d4d301c9e1554996470078236b71ee3d
-
SHA1
df42e6511611746e410735758e41dc1d9bed1f97
-
SHA256
378a7a9a7d15d9a8a477751a956475909953f739d65d92a85d0e7997279c1bd5
-
SHA512
ca46d025ed7ea28f4e2928a60ff86ac1948016bb774798cb42bbaaa8ff0238ec0210fc717bd1d1e40a63ff8e51bf35b138508b4de5cfd5b03fbefd2fae3b4416
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-