General
-
Target
e8b47de50c2770fffb6bbd42995a2ed6da33cb65243f6516a93dea8538cdf59a
-
Size
200KB
-
Sample
220521-xkb8ysfbgk
-
MD5
59b1d91bdbcab05349e54713f6d375c8
-
SHA1
00f1892b9cab9145373004968e4d6d7d2d0eb168
-
SHA256
e8b47de50c2770fffb6bbd42995a2ed6da33cb65243f6516a93dea8538cdf59a
-
SHA512
11772aa4bad4310f8df76b0bb7afbc90d8029641b0840f794aae3d561eab7c8f1badd780a437792bc81c0defa1a2aec4bd077aaa155db0cf079dee86c7fb6d43
Static task
static1
Behavioral task
behavioral1
Sample
New order.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
m6x
990939.top
dhluxuryconsulting.com
muapnvnsfr.com
homder.com
valveiran.com
alkhaleejtrading.net
jekweiss.com
kevinklasmanmusic.com
buyilovebacon.com
nq227.com
cryptrproject.com
medicine.mba
nufilter.info
highway99restorations.com
phytohealthkits.com
accentuatephotography.com
tradeclimber.com
yasseralm.com
ito-agri.com
divandaman.com
raihtn.site
solyetrfademven.com
tepire.net
cointicket.online
johnhevank.com
pxskin.com
528jr.net
kovachnation.com
marstroy.info
1xsort.com
ugrowvancouverisland.com
sprintstats.com
furkankarakus.com
seo-caen.net
yclm1051.com
floydcountybaseball.com
privewin5.com
donaldjtrumpjr.chat
coloral.biz
xj9x.com
stichtingkind.com
tv16429.info
forgatheredhealth.com
waldheim-heslach.com
huimin26.com
mxfbyym.com
goveritas.com
newexpertise.biz
qqfyt.com
invictussociety.com
mmgan19.com
meileefu.com
profitpk.com
koolkitchendezigns.com
tubesluitmachine.com
mypussy.online
land8531.com
zhekou115.com
greenlandeventsntours.com
sydneycohn.net
bibs-bobs.com
zghz6688.com
wujing.group
motoucai.com
hearxy.com
Targets
-
-
Target
New order.exe
-
Size
268KB
-
MD5
77fbec0f83df3e347cd28c4c3c18a926
-
SHA1
908709218882a96882ced2a71556740017d37b77
-
SHA256
0f028665a6f71c72b5dded557cf9e0b33f44133134a695b867bc66df9f5202bf
-
SHA512
26a5623e420067a3e2b5580c4fd9e379bc8790fab8b8b99d7afe63b7ebe46c6fafdb0510e4ff34c1f9e46b1a9cd022eb4ba1d2ca5b30f7741957f26b5dc06036
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-