General
-
Target
003763d1e0baa99e85d1fd1bc632f6179b11c655bc2a9350e6c151662c3ddd0e
-
Size
1.2MB
-
Sample
220521-pzrcesgcd2
-
MD5
facadf6676ed51686492001791c5431a
-
SHA1
4de352ac25a2b19313361f1906a8559db2114899
-
SHA256
003763d1e0baa99e85d1fd1bc632f6179b11c655bc2a9350e6c151662c3ddd0e
-
SHA512
7bd2b187f289d6633c6d30b76031456e62dcb71cdb705d35bd89b1508672336f517ad5cb4f49c84e554412a9add33e90c490486d53ad1f6acdceea01822c9c79
Static task
static1
Behavioral task
behavioral1
Sample
NEW_PURC.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
gzl
abecoip.com
statecollegecarsales.com
jinshuweilan.com
arabiyyan.online
orientjudge.win
uone.ltd
kk7171.com
bpgcyffblaxuq.com
yohei-shiki-diet.com
xn--9krp13ejfj.com
meaningfulbook.net
flagshiptechnology.com
wiredlaw.legal
xn--5kvtwt8i.com
termokaynak.com
intelligentdredgers.com
internationalfoodconnectors.com
spokanenewsonline.com
shrpevfdwl.info
samuellartey.com
wedare-everywhere.com
junkcarsabc.com
youthleader.info
moritzhart.com
jackelkanderson.com
interactdining.com
befadingfast.com
gd567d.com
corsand.info
briarross.com
remodelingby.com
mshy.ltd
turquoisebuy.com
employmentwithapositive.com
secure-web-billing.com
missprettypicky.com
jmsjsb.com
feelgoodmarketing.online
damascussteel.net
dziembateam.com
zhaoshangchang.com
brainvalleybrc.com
conspiracyofkindnessevent.com
kerim.party
cheln30cm.review
schnyderfor.com
uniteagainstrape.com
encontroestadual.com
pvmime.com
adosmetrics.com
top3pot.info
entrophysics.net
houstonrebuilders.net
hechizoz.com
andyott.com
realtor4rialto.com
85agag.com
ledcorse.com
xcorn.net
twostepllc.com
victor18.com
simplyglamp.com
rjik7w.net
protego-solutions.com
nacemo.com
Targets
-
-
Target
NEW_PURC.EXE
-
Size
339KB
-
MD5
66308e9a33fa414a0d3594450e0291f5
-
SHA1
2015687b62b4a91512015c7b6d591c54b9dadf4e
-
SHA256
a975214d240d5a033bef864d482e7636de68c48d5e94434833289b7e56962bb2
-
SHA512
4396d49513addde95c3292a7dbed9e0b233003e439287419059e0d323f30a721c2db4c7a1af686e4f2ca0807939970f988b2258c934acba3ec7257bd7372608b
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Suspicious use of SetThreadContext
-