General
-
Target
Justificante de transferencia.exe
-
Size
324KB
-
Sample
230322-kq38eafh37
-
MD5
89c1af7470bf3a699a914a62a7a37c1f
-
SHA1
75112e7df02461e8dc0266d6a147959b2ae3701c
-
SHA256
c036bf9593241c5ba0f2a7d38b6ff8099344e4b17a758ff64b145f2329256415
-
SHA512
fa4ef030ff88c36e4028fc22e7e285383f38d73ec5b36f06bf4f087d84a55dbf72ad8e79d279deecac3181c71b239549c023e27e529cc57c3d46bd4a46971ba6
-
SSDEEP
6144:nQ606xUAK/TxV595DDV6v/bGj5Yb7T/lZNG5isZ/UTUNsKn8sFLZJFJJWkFx:k3LJZ6HbGjQLZiU1sFdHnWkFx
Static task
static1
Behavioral task
behavioral1
Sample
Justificante de transferencia.exe
Resource
win7-20230220-en
Malware Config
Extracted
formbook
4.1
bd16
fjosephsolicitor.co.uk
itworx.store
firstlinebeefits.com
cadimaglobalservices.com
inclevin.com
kashmirimasale.com
charalambidis.com
homeliday.co.uk
joseguardiola.dev
wowmomofranchise.info
halongbaycruisestours.com
000217.com
dslt.xyz
careyinmobiliaria.com
ucankofteci.net
brisace.com
fastestcleaningservice.com
cornbreadnchicken.com
sizeable.app
labradordiamond.com
houseofartists.uk
halsotid.com
culligamdiy.com
bluehillinternational.com
camillerdesign.com
anth0nywilder.com
tumangadescargas.net
diasporadar.com
jtstu.com
brillsservices.com
srewib.online
ganchenbox.com
handream.co.uk
accessibleherefordshire.com
iverse.media
adeolasadvocacy.com
jmkafgha.top
litsugar.com
exclus-urvey.com
bossdolls.net
footballnostalgia.org.uk
babymed.africa
cutpriceappliances.co.uk
bloomuniverse.xyz
imperialforge.co.uk
joontii.com
tiyu592.com
coliback.group
bblifebizsolutions.com
directrealizabr.online
artbychimps.com
aviiss.com
gacorgaming.online
oliveuk.co.uk
idahohighwaytrivia.com
frutasdelyuna.com
lindakembabaziportfolio.com
gosuslygi.site
matshallacademy.africa
conffirmit.com
casamareresort.com
flipfoil.com
boricuame.com
herspaday.com
ugoufang.com
Targets
-
-
Target
Justificante de transferencia.exe
-
Size
324KB
-
MD5
89c1af7470bf3a699a914a62a7a37c1f
-
SHA1
75112e7df02461e8dc0266d6a147959b2ae3701c
-
SHA256
c036bf9593241c5ba0f2a7d38b6ff8099344e4b17a758ff64b145f2329256415
-
SHA512
fa4ef030ff88c36e4028fc22e7e285383f38d73ec5b36f06bf4f087d84a55dbf72ad8e79d279deecac3181c71b239549c023e27e529cc57c3d46bd4a46971ba6
-
SSDEEP
6144:nQ606xUAK/TxV595DDV6v/bGj5Yb7T/lZNG5isZ/UTUNsKn8sFLZJFJJWkFx:k3LJZ6HbGjQLZiU1sFdHnWkFx
-
Formbook payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Deletes itself
-
Loads dropped DLL
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-