General
-
Target
8f48e9ea8fcfbc03fff80a621f21db65da0e777dc16fb62d97b5f4e4e0511dc7
-
Size
274KB
-
Sample
220521-paqdtsehe8
-
MD5
b1ce68a3db1a65eb49e88f649b215b3a
-
SHA1
2b1a329fa1ba49e4616faf210562f8a6a740c0cc
-
SHA256
8f48e9ea8fcfbc03fff80a621f21db65da0e777dc16fb62d97b5f4e4e0511dc7
-
SHA512
38e8f3932da34ff6688f7fce2562db835c4eed3fb3ae731d41c832d8e243089fbe2495b408844d0803c8213c16ec5d981f36c427358488c9f301bda3ac58dccf
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.0
ngs
logismatic.com
smartfinanceclub.com
littlefingerkids.com
aibus.ltd
presentphoto.com
bilregister.info
feellightinbodymind.com
ulmansails.com
grovegaea.com
butt.gold
designersescape.com
ucuziplik.com
cekmiyor.store
villaniproperties.com
1buybuy.com
solarpanelchina.com
healthbenefits.site
sky962.com
xn--bent-8qa.com
alltraffic2update.download
lingqianjp.com
hzciaipet.com
sunsetlandscaper.com
odysseyssas.com
lakeventsnz.com
pickmyjerseys.com
dudespa.life
line-objects-internal.com
tslgcy.com
yunrenwenhua.com
doanthu.info
ipwe.info
a-spyrevisuals.com
gntor.com
hingling.com
h20.market
testgk18domain.academy
stssx.com
thejournalandthelittlejoys.com
topguncode.com
aad7.net
flyfunusa.com
financeload.com
teatrecatalunya.com
perkakasunik.net
thepolygame.net
tahtatoys.com
matraconerp.com
hotsuppliescompany.com
australiandesserts.com
www724234.com
unisparque.com
hyundaiotogiadinh.com
raivstudios.net
saylessentertainment.com
aodeer.com
flotvnet.com
tpmnt.com
salinasenergy.com
unionit.net
takelisboainatube.com
6raawpuz.biz
reloj-de-pared.com
foyear.com
worstig.com
Targets
-
-
Target
Inquiry.exe
-
Size
334KB
-
MD5
1a7fd254210f7ad82f72bebb508c6f19
-
SHA1
1225574ff9386945611656ed77925134d71f4c71
-
SHA256
1b4dea59e406d410a3d0d1ea8245c339fa8f5eb925f1378a09b0ee812c06508e
-
SHA512
0a6e328a22fa3fb42c27af80c0f104a3baf0520590fe1b508fa301d3cd465cf71a3434f04692676f6c45e13113f2045953a8c7800a53784fc2564934419dfe92
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-