General
-
Target
PO#30001174.exe
-
Size
249KB
-
Sample
220620-qjyl8sddej
-
MD5
15a03c78842f8e0f47ffc35dd6362197
-
SHA1
1e4d857d05d7bd3d7ae37345dd9e38f629219596
-
SHA256
8a3206a8bbf5056d7cb774be843c2a067aa8643e44c58c63e3e9cb65ce0f3fc4
-
SHA512
a1cb86f46db8ceeab6306c6a0cf90fee5002fba8504b284ed0c95fcd9fde7d6948dbc2946a750f6104cb689def600ca41727dec8b1a651f9afed6b53e169a1db
Static task
static1
Behavioral task
behavioral1
Sample
PO#30001174.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
m56u
tercantiq.com
fortvillechicken.net
spiritsandtheb.com
alliant-inc.biz
yh1902.com
xiaodewenhua.net
cityjobs.xyz
seniorlivingwisconsin.com
piadagrilla.com
truistfinancebank.online
nft-fashionlover.com
hangmandownload.com
chun888.xyz
lemonviral.com
getagrip.network
daniellepinnock.info
chiswickstudios.com
essayservicee.com
bharatpragatifoundation.com
800vn.com
leslieskraftboutique.com
massimusdescanso.com
bastadidiabete.com
tufkase.com
fifyx.xyz
xn--hausarzt-lneburg-szb.com
healthcarecheap.com
minshangjt.com
therapistorangecounty.com
thehappyfinn.com
cannalytics-test.com
thejunglees.com
hotel-tuerkiye.com
80at39.com
elsiemckellar.com
jia-he.net
www-kerassentials.com
sang-pakar.xyz
bivirtual.com
ventul.online
mikateknik.xyz
comparazionequote.net
suffolkpolefitness.com
395136.com
kui88.xyz
keohps.com
laketarponresort.com
betaal.fyi
ekascollection.com
rawreporter.com
regionhere.xyz
theartistknownaskayla.com
bobbihub.com
ezviz.xyz
kiffiybeauty.com
mocthaotay.com
glacies-financial.com
altamahalife.com
jodeeluna.com
familylabsummit.com
oufsfaooqp.com
famaciaonlineveterinaria.com
jadooresurfb.info
yansonlineshop.com
pielearn.com
Targets
-
-
Target
PO#30001174.exe
-
Size
249KB
-
MD5
15a03c78842f8e0f47ffc35dd6362197
-
SHA1
1e4d857d05d7bd3d7ae37345dd9e38f629219596
-
SHA256
8a3206a8bbf5056d7cb774be843c2a067aa8643e44c58c63e3e9cb65ce0f3fc4
-
SHA512
a1cb86f46db8ceeab6306c6a0cf90fee5002fba8504b284ed0c95fcd9fde7d6948dbc2946a750f6104cb689def600ca41727dec8b1a651f9afed6b53e169a1db
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Suspicious use of SetThreadContext
-