General
-
Target
2cea867ece0089b2bdb51424e81d2f9bd31c80f5c3910fa17bce6c7a36eaed66
-
Size
396KB
-
Sample
220521-xhfhlabgc8
-
MD5
6d254b56f45f05c290a88d0308accf84
-
SHA1
626f1dbaea39422e92793f49eef0733611f70a3b
-
SHA256
2cea867ece0089b2bdb51424e81d2f9bd31c80f5c3910fa17bce6c7a36eaed66
-
SHA512
3656a0c9bceb7e11e2881389d5ca39b9a0d7dacb274cdea844c463574d0307b1dbbac4a6a2c558ab6f5ae245be1140ac0177bc187332be076a02524f5a65dd93
Static task
static1
Behavioral task
behavioral1
Sample
S-19799C.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
5x9
leolarice.com
dldkys.com
pomponnextdoor.com
bandhenvironmentalservices.net
deli-jewelry.info
eo57.com
ymmggsy.com
lelefamilys.com
genizarohorses.com
wingedwhalemedia.com
taoxinwz.com
bestspanearme.net
1q7five.loan
badou28.com
a-ztreeservice.net
edfwebspace.com
haha688.net
thepathtowellbeing.com
theresetcoach.com
redeyesg.com
bestsellerstore.net
www648789.com
cittadellebotteghe.online
europeanqualifiers.com
heliocunha.com
themarkofmastery.com
grazefood.com
selenitelampsfortlauderdale.com
hillman-workflowplus.com
goods.ltd
mysticvalleymedia.com
redlinesax.com
raspjam-srm.com
lawrence-co.net
nlpforme.online
deshawarresorts.com
wwwbattlefield.com
anni.codes
spieltrieb.com
curacambada.com
storetrump.review
kahistudios.com
birminghambaby.com
dreamsofstone.com
18thcenturycook.com
luxlilafilm.com
zsg7x1.faith
bieluanjiao.com
dvrquj.men
ultraonl.com
cursobeta.com
cadillackeeptexasrolling.info
mauritiusurlaub.com
ericjohnsonattorney.com
weizhujinfu.com
retakoplastinc.com
6658126.com
freepainreliever.com
zdxep.com
xn--cnqx7jj4hib725mur3d.com
soltmart.com
ubiquityllc.biz
comprarxanax.online
straada.com
nyoxibwer.com
Targets
-
-
Target
S-19799C.exe
-
Size
633KB
-
MD5
d7bd3e606c11ebcf2262604c19538bcf
-
SHA1
2e25f74cfc2acbe56592888237270d8f6f6df50d
-
SHA256
55c852b0c762e30f96e7948cd2db3f940f8a18714f4c8146775d65e53f9fd385
-
SHA512
8b5873e50dd6f8a899f723881705cb8187730caeeb1d9432deacf90a77b950dc6104c64bdeaa66dd98c20c0ac70c0a9e2a8f4042ce406ed77961a4820d431d5d
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-