General
-
Target
dcd73db429860f4bc7129bb0a18fac90b153c23708a5f51799d37d67cc1c0397
-
Size
286KB
-
Sample
220521-pr2s7abbbq
-
MD5
026fb7b4b0e9b4af2fe861f3885f1a2a
-
SHA1
d7d736afeb73fa81f98ce86b83491709273d434a
-
SHA256
dcd73db429860f4bc7129bb0a18fac90b153c23708a5f51799d37d67cc1c0397
-
SHA512
b73ca8865c13785115b6fcd6f02e3044c3f22fcc261ba58152ad836c5510ebcece95a04b1a6184e0855423296fc8528037564c8b6400fc7d860b6df4432c0f1f
Static task
static1
Behavioral task
behavioral1
Sample
LIST OF PRODUCTS AND SPECIFICATIONS.pif.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
oil4
beautytrends.store
artthon.com
notimemanifesto.com
myhallrewards.com
paradiseholidaysindore.com
merahputihclub.com
jualmobilmurahtoyota.com
b-engineer.studio
pisf.net
lwhy.ltd
pastorbiodun.com
villagewalkresales.com
huakang-data.com
ilovebatidoras.com
rongqigangban.net
lakeventsnz.com
beslfs.info
yannabez.tech
panigalev4.net
wmfuture.com
etsglobalafrica.info
wabook.net
songjiya23.com
arkaholicapparel.com
daaxe.com
bitblocksugar.com
quintadesantacruzrental.com
investmentwide.com
myharley.net
cashmax7.com
sonderfreetours.com
kimsecimkazanir.com
uirevani.com
basusushop.com
pysxnj.com
shoulderforhire.com
alikaussadornment.com
cll.ink
3v-concept-bh.com
fbme-info15940102.com
reply-monitor.com
yangzheng.site
motivationbasket.com
thesandybarrel.com
insuranceone.biz
washautoservice.com
lantisloppan.com
lhanes.store
fakejohnhayes.com
hippieworktheflow.com
yellow-oil.com
dynamiceth.com
vidlyard.com
qchbkj888.com
homeloancorona.com
perapertu.com
canadaoba.com
dripsmexico.com
spk-spk77.com
pqqdx.info
primelookbeauty.com
barnplayhouse.net
wecreate.agency
timdavid.info
regulars6.info
Targets
-
-
Target
LIST OF PRODUCTS AND SPECIFICATIONS.pif.exe
-
Size
353KB
-
MD5
0edbbf75ef9d721e2fa0f253ea04e240
-
SHA1
23bfdfc2350d21972cdee329ff96813c14488d6a
-
SHA256
d33a10ceda8ca53c008f216420f52ff2371705f69803603b688e1fbf3bd1b13d
-
SHA512
c66ec95d11efcf3a54da2588e9b2e6f084df5af505ba16c29d300d9e274784383c36a4776c672e056e85b15aef28f9ee49711c552e9796547e526057f098853e
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-