General
-
Target
f57f1421d36e94a64e8187e1dfbe255dde5b3e851df8d3e8350dd2a3844aac76
-
Size
926KB
-
Sample
220530-ktc6dscadn
-
MD5
599de5976e8a5df084f4ab499f218450
-
SHA1
cd66f37a6babddbfda172355e6a2c58b0087e051
-
SHA256
f57f1421d36e94a64e8187e1dfbe255dde5b3e851df8d3e8350dd2a3844aac76
-
SHA512
0f8dc2bc43e49f4a822f9e67494e214b05ded0f86550e8b412ad9968a72a122e412dcf4c44adabd19f95ef5eceb3003408a83efb231a7cf13a9fa2374acf964b
Static task
static1
Behavioral task
behavioral1
Sample
f57f1421d36e94a64e8187e1dfbe255dde5b3e851df8d3e8350dd2a3844aac76.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
g2m3
stocktonfingerprinting.com
metaaiqr.com
junicy.com
libertymutualgrou.com
jklhs7gl.xyz
alex-covalcova.space
socialfiguild.com
drnicholasreid.com
androidappprogrammierie.com
relatingtohumans.com
jitsystems.com
gbwpmz.com
lesaventuresdecocomango.com
wu8ggqdv077p.xyz
autnvg.com
wghakt016.xyz
lagosian.store
hilldoor.com
oculos-ajustavel-br.xyz
nameniboothac.com
lifuyao.com
cardinalsplayerstore.com
pholoniex-an.xyz
clarensis.com
wu8d616yyt6z.xyz
uidrp.com
gents.style
npwpkl.com
xn--kinsithrapeute-dkbe.xyz
cruzinu.xyz
raverwren.net
veuology.com
armbandtas.com
77xy.xyz
racingsilks-nft.com
academiademujerespro.com
makciakla.com
hopejustmade.com
catrionatowriss.com
kcebtaz.xyz
hongjunwuliu.com
vegecru.com
sidesofthenorth.com
buytacpyshop.xyz
nexuslanka.com
benormxukraine.xyz
hnart-child.com
globalrockstar.xyz
ilovesinglemoms.com
ollorhythm.com
ozkonyalikebap.com
kenmark-inc.com
recuerdosoxidados.com
interviewacomicnerd.com
have4grand.com
mcattoneys.com
ksherill.com
greenelectricmotors.com
matercenter.com
anwisystems.com
buylowatlanta.com
1stuebc.com
topbunkconsulting.com
heathlytrim.com
autnvg.com
Targets
-
-
Target
f57f1421d36e94a64e8187e1dfbe255dde5b3e851df8d3e8350dd2a3844aac76
-
Size
926KB
-
MD5
599de5976e8a5df084f4ab499f218450
-
SHA1
cd66f37a6babddbfda172355e6a2c58b0087e051
-
SHA256
f57f1421d36e94a64e8187e1dfbe255dde5b3e851df8d3e8350dd2a3844aac76
-
SHA512
0f8dc2bc43e49f4a822f9e67494e214b05ded0f86550e8b412ad9968a72a122e412dcf4c44adabd19f95ef5eceb3003408a83efb231a7cf13a9fa2374acf964b
-
Detects win.formbook.
5.
-
FormBook
3.
-
autogenerated rule brought to you by yara-signator
4.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-