General
-
Target
880da923f8772e14298ecf7dc1d8008a5b3ec594faa09121b14a3b5764006584
-
Size
313KB
-
Sample
220521-pawwlsehf6
-
MD5
86fbd99fc4e7ca9003e8a14c879ec642
-
SHA1
7a3af7f2f7036a4f2497f3e8b78e1d8132805e0d
-
SHA256
880da923f8772e14298ecf7dc1d8008a5b3ec594faa09121b14a3b5764006584
-
SHA512
e5accc929ca5c224678b705d72ea5c1201ee68d453d2ece40a4289abd480a109ed1f5b82e5e8da3d2cc8dd1d146dda813a643e8baa839c5dcfaca7dbc3ce3a05
Static task
static1
Behavioral task
behavioral1
Sample
ORDER-#4536 ,pdf.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
te
165whc.info
qdbfqfphjidqgtbttnq.com
theforceforsakens.com
septsix.com
meinnatura.com
markcici.com
rh-tv.com
yangzhie288.com
crystalent.biz
ipearlvoyager.com
depositvoucher.accountant
xn--g5ty9lgeu39hdrv5sm.com
newitemof.info
bombkitty.com
lewesdelawarerealestate.com
9c1nine.loan
ramrajindustries.com
standardpitbullpups.com
gentlestitches.com
dotruckbig.live
fenbf.win
111civicsquare-610.com
crisngrt.com
isolb.net
belmonthighpoint.com
marflaw.com
abeshashinkan.com
geodevconstruction.com
bradshawtccontracting.com
martinsappliance.net
kranche.com
fivestarsalute.com
needleyoudocumentary.com
kiranabharati.com
cxt-smart.com
mialmitala.com
mightymoversmd.com
mmluav27.com
lasanitariaortopedica.com
goldenics.com
jlzbtx.com
redadwords.com
uniqreap.com
cristao.top
ocak.info
badcredit-autoloans.loan
johanssonjohansson.com
plywoodhyderabad.com
berlinda-va.net
wanyizhigong.net
tuodqka.com
erinranney.com
inmoregistrocanarias.com
cupidstep.men
2070pe.com
lifeasanautismmomma.com
hbyrby.com
rideshareburlington.com
stjameseutawville.com
wizardmadness.com
youwillnevermoldalone.com
ifarm4u.com
craftyeducation.com
f-taxi-ai.com
flycoz.com
Targets
-
-
Target
ORDER-#4536 ,pdf.exe
-
Size
504KB
-
MD5
6a094a17412972fa961de3851585c5d9
-
SHA1
d4c4f6f3dd9c59fad99b4a419b3b30f1b7c4bb15
-
SHA256
50f8d8b5cbbad3f2a1d4a25b84553ba285f49318ab3dbb8d436b6709582997e8
-
SHA512
6e05941dd561baaa89e74a7461247b5e83e3adab5e0ad6d26e796e8422ebc6fa617c0c8461cb97801e65693de50adc18b138c067d0a01a8b1c83567fff1740ba
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Suspicious use of SetThreadContext
-