General
-
Target
aff26754ef23f25c764d89c075e57536fc01b17cf6cde627dbf892783723d5fb
-
Size
308KB
-
Sample
220521-pgqm6sfce2
-
MD5
00d120938f03c49aa2a87ce02570dc2a
-
SHA1
0cb543eedda68dcb65b9df964b3df00e15c8a747
-
SHA256
aff26754ef23f25c764d89c075e57536fc01b17cf6cde627dbf892783723d5fb
-
SHA512
32f07a005aebd13d86cdc929f0b123115a7d67903de8af15f1f1c2a3a9f76e6171ad3f66cce1666992f11af3411325ab76f0f2b309df3631a92c1ff680d0b0a0
Static task
static1
Behavioral task
behavioral1
Sample
Stripe.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.0
ze01
yoyoyoyoyoyo.com
nonproxyserver10.life
modernstrikeonlinehack.online
gracieandjemima.com
thisdomainis.top
hhyxtz.com
hairmaxthailand.com
k1882.com
krommaks.com
emhalert.com
infiniafinancial.com
yaamr.com
acuatikorellana.com
frank-walberg.com
firstlightshop.com
dialettapp.com
redlinepipefab.com
mosskelley.net
18778912634.com
porpaixao.com
gottrendsonline.com
letmewatctthis.com
yunlijin.com
mobileizlife.com
domesti-cait.com
babakj.com
lodgedtraining.com
2526a.com
benyuhas.com
jobplacementconsultants.com
360onebuy.com
edmontonhomeshelper.com
howardcommons.com
battlelolita.com
517cb.com
mecamaq-deutschland.com
oljesam.com
icbcamg.com
nelsonmathacademy.com
arunpower.com
whsyzbzz.com
dvglegal.com
apptrafficupgrade.date
mark-rent.biz
stripeod1.com
webuyai.com
sprconcreting.com
cse-formation.info
fcgdy.loan
xiaohuokang.com
noengacommunity.com
capbrista.com
priceslim.com
mobilitagratis.com
tenelson65.com
rjj50yq.com
xn--vhqd20ykxb1zouod.com
adelaidewebservices.com
bluecollarhomeschool.com
mba-degrees.market
gu8ratrufa.click
lakazahuile.com
haiphatlandnhatrang.com
muchengmuye.com
regulars6.com
Targets
-
-
Target
Stripe.bat
-
Size
387KB
-
MD5
52f40e38350510d0101f33526d6fb0a6
-
SHA1
e5b3d8f68a5bcca610661b2e3c2276c9e260f948
-
SHA256
fec5ae0ee4950c22aa3278fbea92faf21abc081160d32ab3047d03c6409f8829
-
SHA512
55113f082c1211f0e3d514052ba9d1c3eadffa2d4f9712833cd03d2d9c856054669f26232928f305b15c638074e5d55d3e5e632c44126b79d21abe1f467f1f16
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-