General
-
Target
LSP63103.EXE
-
Size
643KB
-
Sample
220615-kz463acgdq
-
MD5
5e3b856fd3ea5e1dc91c79db317a4b19
-
SHA1
25f969391c43fe125bf6d9162a54d5ae5da2cf62
-
SHA256
835ad427cf84c1e97ad98d95c765125ca7629d62657dbfb6bf82327223e573b0
-
SHA512
2f322edc88b06f8e15626e5da06576a3f0ca150cf7f4e63aa21a92090994f4aeca4b82bfe40b527811799fa20bca7b86b14a42649f6585aebe642500b8057b02
Static task
static1
Behavioral task
behavioral1
Sample
LSP63103.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
d94e
123456yudang.com
t-eros.com
genesis-urban.com
gartersnake.xyz
freshinews24.com
molasendo.com
365889.xyz
multiverso-digital.com
nahlabalmsales.com
cashyoga.space
momtipsblog.com
uktbc.xyz
hu6aecfzts33zz.life
luxuryholic.com
wtsgdy.com
bathroomrenovationscenter.club
mouradhw7.xyz
sehoonp.com
danplace.com
zc006.xyz
blogata.xyz
de-vinted.website
photomax.xyz
piratesofthesound.com
slash-sa.com
cloud-computing-security.life
hertgoodusa.xyz
exoticgoldenretrievers-au.com
imagrecimento.xyz
moviechat.xyz
oldchiefs.com
oiuk.xyz
domguri.net
867818.xyz
pisurvice.xyz
realpluscorp.com
bbkicks.store
newsoutgwindow.com
baiakgo.com
healthymebc.com
jxd520.com
jifengys.xyz
dosmatest.store
luxuryhostel.tours
shiba-interstellar.com
ligastavok-mobile.site
lxpioneers.com
asyncbits.com
ahmadiyyamadagascar.com
intl-travel-to-dubai-net.fyi
monassweets.info
qiguz.xyz
suarenda-lucrativa.site
business-china-russia.com
sohufev.xyz
codemicro.site
bitget-signup.website
toonstablerock.com
virtualmarketingseminar.com
rocketbrotherscoffee.biz
wizapk.xyz
mousseinvestmentslimited.com
qqww019.cc
stunningmoon.com
closeones.store
Targets
-
-
Target
LSP63103.EXE
-
Size
643KB
-
MD5
5e3b856fd3ea5e1dc91c79db317a4b19
-
SHA1
25f969391c43fe125bf6d9162a54d5ae5da2cf62
-
SHA256
835ad427cf84c1e97ad98d95c765125ca7629d62657dbfb6bf82327223e573b0
-
SHA512
2f322edc88b06f8e15626e5da06576a3f0ca150cf7f4e63aa21a92090994f4aeca4b82bfe40b527811799fa20bca7b86b14a42649f6585aebe642500b8057b02
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Deletes itself
-
Suspicious use of SetThreadContext
-