General
-
Target
rFATURA_pdf.exe
-
Size
160KB
-
Sample
230718-e78xbsha7v
-
MD5
4c657eec9af70a8027e1842c7effbe9b
-
SHA1
e37ff77323fe993dda213813246bd0184fe59142
-
SHA256
93ed7e400500fb1e4be9421400e42ddab0b5cac500929f28bab9fee0c8afea00
-
SHA512
b5f5333a4474728b6cefee08d306c42bd469853b50669a5a37344b6c8bbe4b64c3e091e0cc70bb968e391b5f88fa42107067eb40a648477b023e1b4a9078d37d
-
SSDEEP
3072:+NzPHk9MpcQbe0/tU8VmX0KvW8fSPi/mrjubLJ986/J0k+wgTePEGAkjoD+XFgKc:+hRF5/28VmvvEiQEJ986KNTePEN1+1g3
Static task
static1
Behavioral task
behavioral1
Sample
rFATURA_pdf.exe
Resource
win7-20230712-en
Malware Config
Extracted
formbook
4.1
ls65
reumatologia.page
bb7026.com
okxxiazai.xyz
okelah01.click
chewindustries.com
hirokusetu.site
oapukcln.cfd
vicscateringevents.com
tbmxliea.cfd
angelfire.live
dotphysicalhuntsville.com
jeacon.amsterdam
ujukpquq.cfd
iabq.top
v8zxdv.cfd
l6tdkz.cfd
xmsp.xyz
shopbathroomsink.com
farmasiecuador.site
kosher-bookings.com
vzipfwbr.cfd
goldagesupplements.com
izgyegau.cfd
vwems.xyz
bhllwcb.xyz
moshschool.com
congeladosdn.com
adoydevs.com
ruggieroinvestigazioni.com
rablackwellwriting.net
aspecs.app
oldetowneflowerco.com
gybllrfc.cfd
wkmwbaxd.cfd
z7rhox.com
pawdooropener.com
rojantmedia.business
mange.work
validprotocol.com
ro926k.cfd
f-dep.com
pjsdwags.cfd
b33518.com
jeteletelpar.com
betterflashings.homes
enluvy.tech
kubet69.biz
disruptivehcs.com
best-chairs-for-gaming.store
getinnovation.live
wpspecial.xyz
bnbdodsx.cfd
brutelle.com
literaturereviewservice.xyz
majestycleaningservicesesv.com
nhluvrjf.cfd
cl5ew1.cfd
s01l5d.cfd
atremocodex.com
hessshoesinc.site
puszah.cfd
cytscj.com
bklifnkp.cfd
fidelityscreen.com
rzuusv.cfd
Targets
-
-
Target
rFATURA_pdf.exe
-
Size
160KB
-
MD5
4c657eec9af70a8027e1842c7effbe9b
-
SHA1
e37ff77323fe993dda213813246bd0184fe59142
-
SHA256
93ed7e400500fb1e4be9421400e42ddab0b5cac500929f28bab9fee0c8afea00
-
SHA512
b5f5333a4474728b6cefee08d306c42bd469853b50669a5a37344b6c8bbe4b64c3e091e0cc70bb968e391b5f88fa42107067eb40a648477b023e1b4a9078d37d
-
SSDEEP
3072:+NzPHk9MpcQbe0/tU8VmX0KvW8fSPi/mrjubLJ986/J0k+wgTePEGAkjoD+XFgKc:+hRF5/28VmvvEiQEJ986KNTePEN1+1g3
-
Formbook payload
-
Checks QEMU agent file
Checks presence of QEMU agent, possibly to detect virtualization.
-
Deletes itself
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-