General
-
Target
U prilogu potvrda narudzbe.exe
-
Size
500KB
-
Sample
220523-vj4kpsbbfm
-
MD5
148986549117576bfd15d868abc6455e
-
SHA1
671a0ca7cb8e5d39c3b2748d24bec6a32f6055f2
-
SHA256
f073049a0bb7d1e370d603841469d9b6070da559d9721a018a6ace155d2d7b3a
-
SHA512
24dca913d120b7a36b394f2ca51d0d8b31da59e5d7757e5bd4c74b228ecbc957906ce1f9f99883b87f37f51ee04d9c4e92f8e017b68eb9b40643fe97321b2d27
Static task
static1
Behavioral task
behavioral1
Sample
U prilogu potvrda narudzbe.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
3nop
videohm.com
panache-rose.com
alnooncars-kw.com
trueblue2u.com
brussels-cafe.com
ip2c.net
influenzerr.com
rbcoq.com
zzful.com
drainthe.com
sumaholesson.com
cursosaprovados.com
genotecinc.com
dbrulhart.com
theapiarystudios.com
kensyu-kan.com
dkku88.com
tikhyper.com
aztecnort.com
homebrim.com
infinitilamp.com
leelegantflower.com
floor-space.investments
vidasustentavel.online
wholehearteddaughters.com
vipandeep.com
mdwovzrrm.icu
592215.com
academicplumbing.com
bestveganbook.com
theservantleader.com
nazarickdeveloper.xyz
delta-wing.com
girlfriendsgarb.com
sezyz11.com
ca3construction.com
smartswitchhomeloan.net
luckytwo.agency
ministry-of-barbers.com
babbageacademy.com
informationside.com
packapp.net
spacecoasthondaevent.com
thehealthyimmunereset.com
pjcavaliere.info
trebdurham.com
zhixintonghe.com
gon2580.com
dottproject.net
snakby.com
keeponsports.com
debbiewilsondesigns.com
stagingsolutionsgroup.com
forummondialdelamerbizerte.com
garnier.red
tempestchs.com
zpxinxi.com
jam-nins.com
inclusiocg.com
msmenders.com
whachupichu.com
pursemore.com
thebusinessfitclub.com
scootgotti.com
jakesplacebarbers.com
Targets
-
-
Target
U prilogu potvrda narudzbe.exe
-
Size
500KB
-
MD5
148986549117576bfd15d868abc6455e
-
SHA1
671a0ca7cb8e5d39c3b2748d24bec6a32f6055f2
-
SHA256
f073049a0bb7d1e370d603841469d9b6070da559d9721a018a6ace155d2d7b3a
-
SHA512
24dca913d120b7a36b394f2ca51d0d8b31da59e5d7757e5bd4c74b228ecbc957906ce1f9f99883b87f37f51ee04d9c4e92f8e017b68eb9b40643fe97321b2d27
-
Modifies WinLogon for persistence
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-