General
-
Target
0025dd0c81142c4d22f609d32059709406269193830fdfc76d0530d98062c6c3
-
Size
314KB
-
Sample
220521-xlvfxscad6
-
MD5
122ce70f3193477ac2533c56f09a1012
-
SHA1
6d4bbed8a6475c6fe26ef094b96dc3b13900d342
-
SHA256
0025dd0c81142c4d22f609d32059709406269193830fdfc76d0530d98062c6c3
-
SHA512
7337b4e83af67869335bf0ea2884a304f631db96707e36f3a30aa7509c8b9bc95ee8ce89f8912d0c796aa6d5faed654730ab2dfa81a408ed6341f6d9c0dfada4
Static task
static1
Behavioral task
behavioral1
Sample
PO KH-TECH.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
q5e
2177.ltd
thanxiety.com
max-width.com
fixti.net
mostmaj.com
mobilteknolojiuzmani.com
historyannals.com
wheelchairmotion.com
mossandmoonstonestudio.com
kastellifournis.com
axokey.net
peekl.com
metsteeshirt.com
abcfinancial-inc.com
btxrsp.com
amydh.com
ccoauthority.com
lumacorretora.com
kimfelixrealtor.com
iconext.biz
giftstgg.com
imonsanto.com
invoicefor.com
qfhxlw.com
wsykyy.com
gladius.network
peliculaslatino.online
timookflour.com
gxkuangjian.com
utvklj.men
rabota-v-avon.online
sheashealingway.com
thoitrangaoda.com
rytechweb.com
circuit69.com
crowd-design.biz
carosiandrhee.com
778d88.com
calvinkl.com
cjkit.com
jgkwhgxe.com
sanitascuadromedico.com
mellorangello.com
whiteinnocence.com
medtechdesignstudio.net
nurturingskin.com
guardyourweb.net
juw2017.com
jnheroes.com
damicosoftwaresystems.com
gesband.com
onwardsandupwards.info
gopropackaging.com
centerforaunts.com
sarrahshewdesign.com
intelligentcoach.net
iasisf.agency
products-news.com
calvinspring.com
100zan.site
9mahina.com
saleaustralianboots.com
floatinginfotech.com
calcinoneweek.com
yofdyk.com
Targets
-
-
Target
PO KH-TECH.exe
-
Size
400KB
-
MD5
cec3c5e9ed6457abf83f3650bab34a0d
-
SHA1
ca81643244ea28e9824d21fc1c779f53679a76dd
-
SHA256
66812d316b85e20248c4af1f141a372ec1e434d951f7c6fc51402ab23da87845
-
SHA512
dd02eb4c30720d40383e78e76c912e2689c4dead68a89b113086574d871a21bc73129f21d8ca0b5a00aecd658d69456262af727ccbdbab931a1cf47e1870ac5a
-
CoreEntity .NET Packer
A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Deletes itself
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-