General
-
Target
RFQ5462-PO22000850.pdf.exe
-
Size
613KB
-
Sample
220725-k5l8fabgep
-
MD5
3ba5f2da42cf3865b04008a26744d346
-
SHA1
2b897b32de43663cce219db2e7c64aa7315ad6f5
-
SHA256
a06756251dbd94ca9bbecb73e4b5e9c768d3fada398cccae4a59323aebb31eab
-
SHA512
5cda5d155abbb748a9845ba2e7b6a10dbc299101b4ad3c641da558b0420a418738c5b8397f6fe5b76c1afb8b54c83137c9803afe32de7fb9a57e42166bc81811
Static task
static1
Behavioral task
behavioral1
Sample
RFQ5462-PO22000850.pdf.exe
Resource
win7-20220718-en
Malware Config
Extracted
formbook
4.1
t19g
playstationspiele.com
cakesbyannal.com
racepin.space
anti-offender.com
magnetque.com
farragorealtybrokerage.com
khuludmohammed.com
v33696.com
84ggg.com
d440.com
soccersmarthome.com
ofthis.world
fivestaryardcards.com
lusyard.com
gghft.com
viajesfortur.com
rationalirrationality.com
hanaramenrestaurant.com
exactlycleanse.com
martensenargentina.com
michellesellsvt.com
pupsloveandlondon.com
kfhym.world
makeuphoje.com
ebookrise.com
flesherbrothers.com
doonaudio.com
doanet.xyz
wrghintlian.com
davidchristl.com
domaintch.com
quotereflection.com
eroptikblog.xyz
iranianinvestmentclub.com
cp200motorola.com
vsenq.com
theamazonmovement.com
aspiteksoln.com
perkebunannews.com
myreverie.life
hrddf.com
gblaincreative.com
lipsstreet.com
xxf76.top
dureluxx.com
heldelicioso.com
taskconsulting.com
dongcunzhengfu.com
itohpe.com
abundantskill.com
fernhutco.com
hairgrowthxpert.com
intelligentreportscloud.com
maybesupply.com
7156.world
cr-marcelo.com
shequipamentos.com
villeenvie.net
robbyscreations.com
mpaohead.com
nailsa.biz
accoladesandmore.com
preppers.pro
pinpinduo2.xyz
allsofttech.com
Targets
-
-
Target
RFQ5462-PO22000850.pdf.exe
-
Size
613KB
-
MD5
3ba5f2da42cf3865b04008a26744d346
-
SHA1
2b897b32de43663cce219db2e7c64aa7315ad6f5
-
SHA256
a06756251dbd94ca9bbecb73e4b5e9c768d3fada398cccae4a59323aebb31eab
-
SHA512
5cda5d155abbb748a9845ba2e7b6a10dbc299101b4ad3c641da558b0420a418738c5b8397f6fe5b76c1afb8b54c83137c9803afe32de7fb9a57e42166bc81811
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-