General
-
Target
G.rar
-
Size
184KB
-
Sample
221209-cyal3afa5z
-
MD5
aa62d654c6839aaca44274709cd134ec
-
SHA1
bf0f62e041d06fa27592c89219708c1f7a6d2185
-
SHA256
6351c69330812979b20ca0237dd523081e73bdec6b48c6a1bf8cac708b028ef9
-
SHA512
8451ab099c9b10d505b42e7b00f6b9b0b37b675bb3c2e61d5ff21ef04611d91250bde43e24be554eb8b038797d3c478a88e3f97883f73201255c7342ac9eb4d1
-
SSDEEP
3072:tqQbSC5ocPstFUfBYJLNnk+roy0tYqTgmm7lgq0hYMONvluBJmrEQRJQsazVx5:I0scU74cNnFYY1wqIYxlamrEQLmV
Static task
static1
Behavioral task
behavioral1
Sample
91ef79825a38a6d9942f8963206785bc.vbs
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
91ef79825a38a6d9942f8963206785bc.vbs
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
f919de1034edc7b8a4a5a8aa8f0067dd.exe
Resource
win7-20220901-en
Malware Config
Extracted
formbook
4.1
d06c
douglasdetoledopiza.com
yxcc.online
primo.llc
mediamomos.com
cosmetiq-pro.com
22labs.tech
turbowashing.com
lindaivell.site
princess-bed.club
groundget.cfd
agretaminiousa.com
lomoni.com
nessesse.us
lexgo.cloud
halilsener.xyz
kirokubo.cloud
corotip.sbs
meghq.net
5y6s.world
weasib.online
threelights.tokyo
brownandbrowniplaw.net
watchomesafe.xyz
ky4468.com
nonhodgkinslymphoma.space
promaster.africa
lightypn.tech
dqhongyan.com
66880.love
ncloud.tech
jdpipes.info
yaman-style.com
ky8257.com
watercoolerbot.com
medyspace.xyz
historicalstones.com
ecobrain.biz
tvebaoxz.com
droveit.net
haoloi.skin
iyzwux.xyz
formula5.online
fourseasonsapparelstore.com
matrix158.com
donkeysforsale.net
foozitive.com
curcumabrasil.online
sest-m5eg.net
abkirtoogooni.club
tinttheory.com
digitalfp.online
mrsestudio.store
report-24.com
protectific.com
deovolenteventures.com
tanizaon.website
workastrology.com
kiwifarms.life
6scout.net
vj238.vip
urbanproject.app
adjqodjqw.top
clubtripsite.com
zoe-dev.click
theconciergepeople.com
Targets
-
-
Target
91ef79825a38a6d9942f8963206785bc.vbs.vir
-
Size
784B
-
MD5
4304fd3c7c6532cb19e0f29773b5e253
-
SHA1
333be879c7816ebc1417fad26953fc235e2cf2ac
-
SHA256
0593fa1832103b3903a35bbfab6f0331cb9031b75afeff791cc7d331f5c2a028
-
SHA512
faed7856e6f9e1933bd1730d1165c75e3dd12288fb7b5d9a3a6a2416efb5a592301aca98ce90562c59045d5f3e81b54c00d1afecc6634af85b330bd3c6ff2031
Score8/10-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles
-
-
-
Target
f919de1034edc7b8a4a5a8aa8f0067dd.exe.vir
-
Size
266KB
-
MD5
a30c15bda927aeb2ff67b7bbc69aee4f
-
SHA1
9664785694f1b27cd5a6972dd2451a0499d77dac
-
SHA256
e86e7a5474975bd8099a89b34823da8d58195eb40f59d295b6d425a7763e2a1d
-
SHA512
5b7fbe69ce2d0e30068770a8667934c429f7d081a2413cbc28ca952f7b3640f341a5f8ba7f4508624e45a081838ed7da8f7413257c441652e19a1f7757255c1d
-
SSDEEP
6144:MtXZXPanzcQUuLgsNG0BPspB4nAFmklJ:Mtsz5DLgsp5ngDl
-
Formbook payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-