General
-
Target
5b8a341d18803152d2be2af3313830091764943deaad2e391907c0b23e521e50
-
Size
271KB
-
Sample
220521-plbd2sagak
-
MD5
9baaf843b51d81dcaf87703cc309adb1
-
SHA1
acca45c245832d041dbcb6b67c93fc623a3a9533
-
SHA256
5b8a341d18803152d2be2af3313830091764943deaad2e391907c0b23e521e50
-
SHA512
70822a0e72d2a13f753a75003749481e93de26a88496dcd7a0796b9de18c4f9e29c9c5b86d8ab6f66b80b98b203259992dab21c7a3f6d9a5a71037767f0b412e
Static task
static1
Behavioral task
behavioral1
Sample
Salary.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.0
g8u
stuition.com
mj-sculpture.com
cannatainmentevents.com
dianjintang.com
rmlusitania.info
effet-spiruline.com
flatheme.com
supergaminator-vip.com
craftyourmagic.com
lakai.ltd
electionshawaii.com
iqpdct.com
thebestfourstarhotels.com
satoshiceo.com
saintmartiner.com
brothersmarinetoronto.com
citicoin.online
scentsationalsniffers.com
hellonighbourgameees.com
displayonline-france.com
cait-compare.com
aprenderoratoria.com
stehtisch24.com
cocktailandcocktalk.com
hybridtablesaw.com
ynnkfs.com
capitolman.com
xccomm.com
dannyhustle.com
9jiuhao.com
ossigenopoliatomicoliquido.biz
casayards.com
hotelmesonreal.com
lffcfftl.com
raiserobo.com
ssav33.com
oceanicmarinerisks.com
star-fairtrading.com
universecoolest.com
www8557v.com
reparaciones-ordenadores.com
residenteyecarepa.com
x-hom.com
finestsalon.com
xn--n8jydrczh8g7f7a7lp527d.com
dallasfortworthseopro.com
talentsplanner.com
gdmen.com
life-insurer-zone.live
tunnelrobot.com
vietnamexport.net
inlishui.site
inaneufeld.com
sleepingsling.com
huaian.ltd
iluxol.com
mahavirjwellersnoida.com
fastaskme.men
rsinsur.com
datingevo.com
bringmesomething.online
banjiasanti.com
zhixinchain.net
medifloors.com
tromagy.com
Targets
-
-
Target
Salary.exe
-
Size
301KB
-
MD5
cddc72c9292768f8719c1e5127a9997d
-
SHA1
5ae294116d27d67b2c3cee4b0b1b79ecbd25d582
-
SHA256
f3f3cda95f4d655f189381268676beef7ab70ed8355ff178abcad416c71adb22
-
SHA512
240c7a82c7b848f59aef3e09c01eca8d97c853ae7bf1270dea844835876019d8ee9eac83c5d7bc2ad56bdddd8853c6877a3a5c79ec0ba504eb4e8cb1200a49c1
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Suspicious use of SetThreadContext
-