General
-
Target
17860814e8bd76c17950f886ad9de46cea5d891c4144f7e47f1a64d990e152c1
-
Size
245KB
-
Sample
220521-pyra2agbh7
-
MD5
fb111186a13baae8436018acb8f85c7f
-
SHA1
7bcbd64e6a0020967d3881baec989eaecb19606f
-
SHA256
17860814e8bd76c17950f886ad9de46cea5d891c4144f7e47f1a64d990e152c1
-
SHA512
57a24e0fb1f18c55c26cc3ebc826d450be5256fd27749a4f7487d3376787d7687397979147a91ba88dcf82ab74c64d65b3619ea14066c698deadb789b7e92b41
Static task
static1
Behavioral task
behavioral1
Sample
doc094.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
doc094.exe
Resource
win10v2004-20220414-en
Malware Config
Extracted
formbook
3.9
s5l
greenstock.info
laurajaneaesthetics.com
817comm.com
dbprimery.com
slzu-vxtx9.biz
covetpro.com
50.ink
weick.email
88717888.com
tongyue0423.com
anchorsky.com
horapatarot.com
cadillacforless.com
primesupplyvintage.com
torchinstant.win
thebrandishere.com
www-69677.com
savestj.com
tommydad.com
xigjailbreak.com
contulinemotieeszere.info
virtualrealitydomainnames.com
oldschoolrentalcars.com
zerosumtoken.info
facingrods.com
bagodawatch.com
theecostone.com
fireangelstech.com
lendingnetworksmail.com
apartemenbegawan.com
oniapparel.com
sanjeevkumarvestige.com
jiqywrrcmyudxaydrw.com
ptt-store.com
affilifaq.net
eyezonsite.com
youreadorkable.com
eh-sc.com
diariodasnoticias.com
bcqts.com
9a176.com
triplicesports.com
thetravelguideindia.com
frottolesignoraggio.info
swiftlogistics-service.com
36lk.info
webuyoldmotorcycles.com
mikedtoyota.com
honghuyangguang.com
soft-bits.com
twheb.com
poshchain.com
socialgeeknwa.com
alltexvets.com
coscolg.com
theflyingwolves.com
stonebridgeiwm.info
requestforcollect.com
weatherdeep.com
webxhard.com
six.ltd
belamargarida.com
eskisehirkahvefestivali.com
sf8803.com
hearxy.com
Targets
-
-
Target
doc094.exe
-
Size
345KB
-
MD5
aa4728fc8d920e596570904225ffaeca
-
SHA1
242c0f565ef343f4390b3090fcd1480ae07d50c1
-
SHA256
aa3a6c0efb81498bfda5ebc1319154af99114b3184a9dffd5924e778b25b1ab9
-
SHA512
b145c454ab49f26194ec3d4a6ab0cb4ec4208aee1ea624d5d48473d858e41a008c2cfd0778e9aaac79f83d4ec9c62d5e0a10c7c8b879a126237c041d2d47ef41
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Suspicious use of SetThreadContext
-