General
-
Target
Factura379292.vbs
-
Size
167KB
-
Sample
240325-txh1gscg68
-
MD5
434d31ae787eaa00581d957487abe814
-
SHA1
85abbe0d2e47a3128a9c94c77395cc33cc7a4da8
-
SHA256
7c50209f50ce49960450dec8780918a112576c2034ac10d70e569693434bc23a
-
SHA512
feafe13d3d5328ab4a8907a2999b6f8ae9182cd4c3758f9b081571eb367825958b8ccded5f74b65744a761b874f7924dc37d703ad55afd3f73d672ae5bfe6a95
-
SSDEEP
3072:VpK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8DTIK/BXH:VpKyPeadLaz+k0zn1j7rZeqGbHfNcckI
Static task
static1
Behavioral task
behavioral1
Sample
Factura379292.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Factura379292.vbs
Resource
win10v2004-20240226-en
Malware Config
Extracted
formbook
4.1
mo46
mnt75.link
3531.vip
mtb-treasusry.com
jgdripcases.com
fuwnjq5d.shop
viralking.shop
eternalflorist.store
fangsgang.media
healthinsuranceudeserve.com
nomadadvertiser.com
iwuqb.pics
marlboro-nissan.com
massagemdossonhos.online
guhapplay.com
ingenieriaautomotriz56.com
email-555.com
mirarestaurants.com
theblueflamelabs.us
floristeriatheclover.com
mpmngr.online
winjiliapk.com
mzastudio.com
riskguardians.com
getreel.xyz
5bucks.cc
d3cargo.com
birdeye.markets
gstep.co.in
mygoodwalk.site
bevrobotics.com
newcrazyvision.com
cliniscribes.com
kegdol.xyz
sawstopmarketing.com
everpresent913.com
sg1noticias.com
heartlanefashions.com
66amk.com
yourdefectattorney.com
heejaznatural.shop
kurzrokderick.com
rackbudtesting.com
buzzifymaps.com
jaojeng888.biz
assetsx.io
ea-motorsports.com
allurearyts.com
goingproject.net
miamicorehealth.net
hoianbistro.com
fernfogmist.online
annaseojinpark.com
tryourckee.com
smartlockr.xyz
arcoyplata.com
businesshelp892933.com
51dm9.co
mydatabourg.com
pokerbet77.com
legacy-wholesale.com
saggingroofrepairservice.com
rednears.com
eventosguadalupe.com
remoteagents.co
mandatoryonline.com
Targets
-
-
Target
Factura379292.vbs
-
Size
167KB
-
MD5
434d31ae787eaa00581d957487abe814
-
SHA1
85abbe0d2e47a3128a9c94c77395cc33cc7a4da8
-
SHA256
7c50209f50ce49960450dec8780918a112576c2034ac10d70e569693434bc23a
-
SHA512
feafe13d3d5328ab4a8907a2999b6f8ae9182cd4c3758f9b081571eb367825958b8ccded5f74b65744a761b874f7924dc37d703ad55afd3f73d672ae5bfe6a95
-
SSDEEP
3072:VpK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8DTIK/BXH:VpKyPeadLaz+k0zn1j7rZeqGbHfNcckI
-
Formbook payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-