General
-
Target
d4debc692c46662beafe17cfe99f61ef6df421baf190174620458926bebfd080
-
Size
310KB
-
Sample
220521-pe1qcsfbe8
-
MD5
371b7e70c8134b949bdd9316ee0836f2
-
SHA1
a47010df85acba58c8c587c3ca28ca0f5821ab61
-
SHA256
d4debc692c46662beafe17cfe99f61ef6df421baf190174620458926bebfd080
-
SHA512
bf747967cf4785727f9d49228d2b2cc75af1ad7bd04a9841ac49695ff254b9881cad957ac119246cd8a3840ba9f725d27e88516130169cd2369aa3d293e0558a
Static task
static1
Behavioral task
behavioral1
Sample
Purchase Order 564537737 May.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
i0qi
mytakeawaybox.com
goutaihuo.com
kuzey.site
uppertenpiercings.amsterdam
honeygrandpa.com
jenniferabramslaw.com
ncarian.com
heavilymeditatedhouston.com
gsbjyzx.com
akisanblog.com
taoyuanreed.com
jasperrvservices.com
yabbanet.com
myhealthfuldiet.com
flipdigitalcoins.com
toes.photos
shoottillyoumiss.com
maserental.com
smarteacher.net
hamdimagdeco.com
wuxifanggang.com
alamediationtraining.com
vfoe.team
kms-sp.com
gfidevfight.net
anomadbackpacker.com
21oms.us
australianseniorpreneur.com
valuereceipt.com
superbetbahis.com
rsrgoup.com
hoidonghuongkimson.com
parmedpharma.com
discoveryoverload.com
livetv247.win
jepekha.com
6o5ttvst.biz
netcorrespondents.com
cscycorp.com
emonkeygraphics.com
tillyaeva-lola.news
dgx9.com
jiucai5.com
justwoodsouthern.com
dentalexpertstraining.com
amazoncarpet.com
xsxnet.net
androidaso.com
jinhucai.com
wellnessitaly.store
clashrayalefreebies.com
wxvbill.com
quantun.network
allnaturalcbdshampton.com
mobo.technology
livinglifeawakened.com
canliarkadas.net
littlealohadaycare.com
wendyoei.com
kaz.site
puremind.info
queenscrossingneurosurgery.com
theworldexams.com
taptrips.com
joomlas123.com
Targets
-
-
Target
Purchase Order 564537737 May.exe
-
Size
411KB
-
MD5
bf15960dd7174427df765fd9f9203521
-
SHA1
cb1de1df0c3b1a1cc70a28629ac51d67901b17aa
-
SHA256
9187706072f008a27c26421791f57ec33a59b44b012500b2db3eeb48136fb2da
-
SHA512
7e8b9907233234440135f27ad813db97e20790baf8cb92949ae9185fa09cb4b7b0da35b6da2b33f3ac64a33545f32f959d90d73f7a6a4f14988c8ac3fd005074
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-