General
-
Target
3e82cb25670dd3d5df50f74cdf12c6166ac1ef789f0405048c97c3552728d88d
-
Size
271KB
-
Sample
220521-xlhr5acab6
-
MD5
9a3776baf1ccbc92a6cae7e741ad2fa0
-
SHA1
b4ecefc4d1b2daaaeb2580dd56b2e966f0113db1
-
SHA256
3e82cb25670dd3d5df50f74cdf12c6166ac1ef789f0405048c97c3552728d88d
-
SHA512
7e7f7c7d8586420aa93c493ddf5126fb398602fe0f425cac577d249c3c64a28e07bde67fd003d2e1c6bd5d29ab08424f659b7f86c04f4e06bc1085f6930c3339
Static task
static1
Behavioral task
behavioral1
Sample
Total GP Employment Offer.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.0
lgm
somethingspecial.net
brickmachineequipment.com
asapprintingsales.com
wbmason.jobs
acu.ink
santandier.com
theboxofficemovies.com
tv16507.info
richardzacur.com
eurosevi.com
reformasydecoracionesrian.com
1x1zeroautumn.men
peipw.com
wurzburg.city
kidstoyscheap.com
star-pump.com
mimarsinanresidence.com
indoorgolfschool.com
livinitwithlou.net
cailiaowenda.com
bxjlb.net
copper.gallery
cqwcqj.com
rimrockassociation.com
vaporetahendaye.com
aftermarket-car-parts.site
vistaroadhouse.com
magicbyenigma.com
canadagoosesoldes.com
pvspineandsports.net
basecampwares.com
cindybelay.com
shawnshan.com
servaroo.net
uyjm9n.com
liuhe039.com
packlava.com
jshy0f.info
cdhbsrwj.com
nihonwookuru-entry.com
almaflowershop.com
slepret.com
victoriannescreation.com
ldzmq.loan
zenmolly.com
igftxe.com
szhlqjj.com
happily-ever-ansebo.com
alkos.link
kreationseventdesign.com
diezynueveinmobiliaria.com
goldmen-suites.com
evelynehairdresser.com
themoroccomarket.com
justinlee.solutions
getthelaugh.com
revestquartzo.com
intelligentinternet.info
itsfauxreal.com
reconditioninghumanity.com
islamkarimov.today
lelakiidaman.com
loubano.com
spargeorgia.com
vinoblay.com
Targets
-
-
Target
Total GP Employment Offer.exe
-
Size
310KB
-
MD5
04c8a35797fa8d2e1e3ed5f65f128d04
-
SHA1
9736f277710815dafe27857805e0c7af97adfaeb
-
SHA256
adf4b8a00eec7af49d20ac1939ca9b5c078e8d119c7e6f1b708c5e39df3acf71
-
SHA512
1e0476cde888f0bec1da340809397a1582a35e2f569b9a4ba6b397b885c3ddd481deec840f245dbcb55b1d2650afcb5716779249c4d4d934afda0ace0088a47b
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-