General
-
Target
66cba319c20a6e956a09334f4a23abc9c3d22c95f49731a04c26e2f8b8598412
-
Size
227KB
-
Sample
220521-pwtndagag9
-
MD5
5b0e92531d0ea6f32e8f64787fcc9bda
-
SHA1
290f7cacc474b9a5b55f2958d87124d3605ca866
-
SHA256
66cba319c20a6e956a09334f4a23abc9c3d22c95f49731a04c26e2f8b8598412
-
SHA512
b3ecf63a9532e94b08c930b91cb051658b4616b3a66fa2a333e4e9441c73cf32e87b11b361d98de179dc8d54b3ef155acdc26ec0717af3caccac43d8c1ff2a09
Static task
static1
Behavioral task
behavioral1
Sample
430917.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
430917.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
formbook
3.9
s5l
greenstock.info
laurajaneaesthetics.com
817comm.com
dbprimery.com
slzu-vxtx9.biz
covetpro.com
50.ink
weick.email
88717888.com
tongyue0423.com
anchorsky.com
horapatarot.com
cadillacforless.com
primesupplyvintage.com
torchinstant.win
thebrandishere.com
www-69677.com
savestj.com
tommydad.com
xigjailbreak.com
contulinemotieeszere.info
virtualrealitydomainnames.com
oldschoolrentalcars.com
zerosumtoken.info
facingrods.com
bagodawatch.com
theecostone.com
fireangelstech.com
lendingnetworksmail.com
apartemenbegawan.com
oniapparel.com
sanjeevkumarvestige.com
jiqywrrcmyudxaydrw.com
ptt-store.com
affilifaq.net
eyezonsite.com
youreadorkable.com
eh-sc.com
diariodasnoticias.com
bcqts.com
9a176.com
triplicesports.com
thetravelguideindia.com
frottolesignoraggio.info
swiftlogistics-service.com
36lk.info
webuyoldmotorcycles.com
mikedtoyota.com
honghuyangguang.com
soft-bits.com
twheb.com
poshchain.com
socialgeeknwa.com
alltexvets.com
coscolg.com
theflyingwolves.com
stonebridgeiwm.info
requestforcollect.com
weatherdeep.com
webxhard.com
six.ltd
belamargarida.com
eskisehirkahvefestivali.com
sf8803.com
hearxy.com
Targets
-
-
Target
430917.exe
-
Size
330KB
-
MD5
e194989989a1a67a7734611823a1524f
-
SHA1
bcffc771e7e2f343a007e9a60da71a1e342d691e
-
SHA256
06ae29042dd19e5cc3e287eafcb47a934aba12b9c3d4224d31f64a700b1b77ca
-
SHA512
76641f8ed4a09ee40f233f8ba537a8841e6b8cd5f0d7b16a8efcc9154dcc868a05fe72a4f219c948f70fc153ead56da52fb13492c5cad1cba59798171a5637d8
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Suspicious use of SetThreadContext
-