General
-
Target
justificante de pago_pdf.vbs
-
Size
167KB
-
Sample
240326-pxw5wsad92
-
MD5
46fc70d31386d4539f1195a8c16981ad
-
SHA1
003035fe7f9d28c394486f1f0941a411ed70ff86
-
SHA256
2021b29b0f29e42b35f7796a8c7615307d555dcc4b0bbacb599f246f556e810a
-
SHA512
c4ad8b45cd303759d73d2fff7b48de7a42a050baea363fe51f1e61aef3b34dd8264bfac38080af93d7ab7ed03e122f374e33d679c9b0b5894a1db0615c695ce6
-
SSDEEP
3072:KpK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8DMXVMK8m:KpKyPeadLaz+k0zn1j7rZeqGbHfNcckd
Static task
static1
Behavioral task
behavioral1
Sample
justificante de pago_pdf.vbs
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
justificante de pago_pdf.vbs
Resource
win10v2004-20240226-en
Malware Config
Extracted
formbook
4.1
mo46
mnt75.link
3531.vip
mtb-treasusry.com
jgdripcases.com
fuwnjq5d.shop
viralking.shop
eternalflorist.store
fangsgang.media
healthinsuranceudeserve.com
nomadadvertiser.com
iwuqb.pics
marlboro-nissan.com
massagemdossonhos.online
guhapplay.com
ingenieriaautomotriz56.com
email-555.com
mirarestaurants.com
theblueflamelabs.us
floristeriatheclover.com
mpmngr.online
winjiliapk.com
mzastudio.com
riskguardians.com
getreel.xyz
5bucks.cc
d3cargo.com
birdeye.markets
gstep.co.in
mygoodwalk.site
bevrobotics.com
newcrazyvision.com
cliniscribes.com
kegdol.xyz
sawstopmarketing.com
everpresent913.com
sg1noticias.com
heartlanefashions.com
66amk.com
yourdefectattorney.com
heejaznatural.shop
kurzrokderick.com
rackbudtesting.com
buzzifymaps.com
jaojeng888.biz
assetsx.io
ea-motorsports.com
allurearyts.com
goingproject.net
miamicorehealth.net
hoianbistro.com
fernfogmist.online
annaseojinpark.com
tryourckee.com
smartlockr.xyz
arcoyplata.com
businesshelp892933.com
51dm9.co
mydatabourg.com
pokerbet77.com
legacy-wholesale.com
saggingroofrepairservice.com
rednears.com
eventosguadalupe.com
remoteagents.co
mandatoryonline.com
Targets
-
-
Target
justificante de pago_pdf.vbs
-
Size
167KB
-
MD5
46fc70d31386d4539f1195a8c16981ad
-
SHA1
003035fe7f9d28c394486f1f0941a411ed70ff86
-
SHA256
2021b29b0f29e42b35f7796a8c7615307d555dcc4b0bbacb599f246f556e810a
-
SHA512
c4ad8b45cd303759d73d2fff7b48de7a42a050baea363fe51f1e61aef3b34dd8264bfac38080af93d7ab7ed03e122f374e33d679c9b0b5894a1db0615c695ce6
-
SSDEEP
3072:KpK6/PeadLaz+kxSzn9Lj7rZeqGbHfNcckB+HGuG5Elx7d5czQON8DMXVMK8m:KpKyPeadLaz+k0zn1j7rZeqGbHfNcckd
-
Formbook payload
-
Adds policy Run key to start application
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtCreateThreadExHideFromDebugger
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-