General
-
Target
SWF310130709H10170_doc.exe
-
Size
407KB
-
Sample
230712-g8cxdscb98
-
MD5
c55e2d1a636396d2c6e6ec01d339ae54
-
SHA1
1e08473eddc5f998e9ac98e9edcb381e9a5b471b
-
SHA256
a2562e99d8118fcd1d9cd40b1811900664bb3bdd6de0caa5c1dfabd595091b66
-
SHA512
49aadb4c3098f6cd667f4d493236c083be23fac60f3558dc0a0b7cc2ce08b004daf5ca8490317fe4a7121f1f0f98e9fcf9dec3a70ddad3533df5d003b25d7601
-
SSDEEP
6144:0qaFH+9DAYmH76d3LCC2QMbg6RFKqSMBlFGObd6SN/hnanHy1FZiSGQsBzM:85lYe7euC2ZbXFKZmc86SRhnanHUX7
Static task
static1
Behavioral task
behavioral1
Sample
SWF310130709H10170_doc.exe
Resource
win7-20230703-en
Malware Config
Extracted
formbook
4.1
b04a
abm9527.com
nirvanicplane.com
fridaythefactory.com
selfmadepromotions.com
josephinefilieri.com
paradise-gaming.com
j-ixshop.com
zenxcoin.com
49499h.com
azizaacademy.com
prestigewdb.com
lungudashi.com
cryptosmartmoneysetup.com
taylordforyoubeauty.com
xn--brstungsgelnder-blb21b.com
rowpy.com
kirizy.com
cearasummit.com
newsbeeindia.com
lucroexcepcional.com
3abd38.com
ag3transfer.com
grupopassarela.com
60waigong.com
lemoniousmurals.com
airlines-hotline.com
ccleanecr.com
nauteeapparel.com
sho-beratung.com
realworldoutlet.com
siyxctio.xyz
midmichiganstunt.com
theknowgame.com
igburtonusedglenburnie.com
tot84s.com
employeejohnstonsofelgin.com
3damngood.com
26eastparkwayunit12s.com
terrafits.com
www345231.com
stilljumpinginpuddles.com
oliverhooperevents.com
woolfoxgolfmembers.com
boardeshorts.com
fashlinexi.com
lemonbottlebw.com
easybossspirit.com
the-game-of-luck.com
holiday-memes.com
velnexpharma.com
724686.com
mystique-talbot.com
buffalowildwinghs.com
padzlkvdmeghz.com
sunshinedesignsystems.com
probadorweb.com
develokids.com
qingboyuqing.com
waterdropftavilter.com
useklandri20.com
mtvcomactivate.com
volantkennedy.com
chronoboutiqueny.com
byantiskincare.com
twytt.com
Targets
-
-
Target
SWF310130709H10170_doc.exe
-
Size
407KB
-
MD5
c55e2d1a636396d2c6e6ec01d339ae54
-
SHA1
1e08473eddc5f998e9ac98e9edcb381e9a5b471b
-
SHA256
a2562e99d8118fcd1d9cd40b1811900664bb3bdd6de0caa5c1dfabd595091b66
-
SHA512
49aadb4c3098f6cd667f4d493236c083be23fac60f3558dc0a0b7cc2ce08b004daf5ca8490317fe4a7121f1f0f98e9fcf9dec3a70ddad3533df5d003b25d7601
-
SSDEEP
6144:0qaFH+9DAYmH76d3LCC2QMbg6RFKqSMBlFGObd6SN/hnanHy1FZiSGQsBzM:85lYe7euC2ZbXFKZmc86SRhnanHUX7
-
Formbook payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Deletes itself
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-