General
-
Target
tmp
-
Size
298KB
-
Sample
220616-p44hjshfe2
-
MD5
e29af60c4ef79bee0553d2fb6e5e45bf
-
SHA1
621afdcdfdba54a39c17ff294879dcfdb944593e
-
SHA256
7afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6
-
SHA512
6b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
s3s3
tvielotus.com
teesta.xyz
talentrecruitor.com
pamaungipb.com
xn--90ahkh6a6b8b.site
910carolina.com
toyotaecoyouth-dev.com
invetnables.com
gdexc.com
ssw168.com
householdmould.com
mqttradar.xyz
t333c.com
thepausestudio.com
evershedsutherlands.com
asbdataplus.com
preddylilthingz.com
jepwu.com
tvlido.com
artovus.com
trainingmagazineme.com
rettar.net
underneathstardoll.com
babipiko21.site
getvpsdime.com
accentsfurniture.com
cutdowns.tech
teklcin.online
sunshareesg.com
eventrewards.site
lacomunaperu.com
a-tavola.online
gshund.com
monsterflixer.com
896851.com
carpetlandcolortileflint.com
filmproduction.management
cherie-clinique.com
medjoker.com
grant-helpers.site
sussdmortgages.com
solaranlagen-forum.com
freecustomsites.com
h7578.com
ideadly.com
backend360.com
podgorskidesign.com
zilinsky.taxi
ourelevatetribe.com
thefitnesswardllc.com
eficazindustrial.com
thecovefishcamp.com
niuxy.com
myluxurypals.com
clinicadentalvelinta.com
dis99.com
crosswealth.xyz
itopjob.com
oandbcleaningservices.com
afri-solutions.com
paradiseoe.com
versionespublicas.com
b2lonline.com
usdcmeta.xyz
bense003.xyz
Targets
-
-
Target
tmp
-
Size
298KB
-
MD5
e29af60c4ef79bee0553d2fb6e5e45bf
-
SHA1
621afdcdfdba54a39c17ff294879dcfdb944593e
-
SHA256
7afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6
-
SHA512
6b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611
-
Modifies system executable filetype association
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-