General
-
Target
02b4d21a4dcfe793027cc1be224d94f5334fff82ac52248a3e44aba68666978d
-
Size
199KB
-
Sample
220521-xlr1sscac8
-
MD5
12e0e4ff2d88c07589c90c8e2fd5438f
-
SHA1
311c177ee8913ead940718182b9f33ada6634dc9
-
SHA256
02b4d21a4dcfe793027cc1be224d94f5334fff82ac52248a3e44aba68666978d
-
SHA512
7ad9daf173996eae303f610fe14c86c1b1a10edb1f78c88c963d876c6fe06f6ae9c331b7c89ef9f2b7e40734136d8ed3ddfd9d0c9ebe57b29ecb70feeed81cf3
Static task
static1
Behavioral task
behavioral1
Sample
new.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
uw7
casa-miquela.com
phongcach8.com
tvdefrance.net
vipeorfresh.com
litsp.net
9dj2-ycg.biz
3157allen.com
newidea.site
merchandiserod.com
blueictbd.com
151manbetx.com
roehallwedding.com
huaruiju.com
sparkjoywithshannon.com
massif.biz
ochrebridge.com
r6t9.com
fuuvomoogmusic.net
perfectpawsdoggyboutique.com
nst-nri.com
dailyoldham.com
bsmithfotohaus.com
yueashitang.com
luisamorim.com
info-plastic.com
corporatelegallv.com
tableted-conalias.com
qiyefalv.net
ekdai.group
breakfasthelicopter.com
thefoodnerd.net
blmediasolutions.net
biasino.com
6199cccc.com
morgou.com
wellthywarrior.com
xn--slverdkm-tkb.com
aghanim-invest.com
sira.ltd
unitedthroughvalor.com
nvleaf.com
cloudnvr.net
devorius.com
minnsthings.com
eg9b23n-eqj.com
fashionchicmur.com
hfcjgd.com
sflandinc.com
cryptorawr.com
rustylimbs.com
computerscienceretreat.com
collegepassblack.com
santaandelfrun.com
itbagbrasil.com
tsangtwins.com
indiangateaerospaceacademy.com
pedrabrancafm104.net
kxycwn.info
thefashionclubs.com
bjxslsbh.com
amraaconsulting.com
poliformtehran.com
what-are-basic-necessities.site
sweaterbaba.com
binzom.com
Targets
-
-
Target
new.exe
-
Size
268KB
-
MD5
a88e4bd1e3507132fcdd28f38a6751f7
-
SHA1
26e3eed8ee5b0e18cc401ed88b73b287c8ad8de7
-
SHA256
7527530d28c88ea0850926a24ba050a4a77983fb8271309c749ba43e7b10c695
-
SHA512
657b6c77d0d72945293978df4dc4bae3fb722978be866ddfe0ceb3fa6c604ed9c27ef516a77f159cc98dd577fb4a042fcf8c9406912f7985a8d5e8b3587682ae
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Adds policy Run key to start application
-
Deletes itself
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-