General
-
Target
order-payment094093.exe
-
Size
760KB
-
Sample
240508-jd5d9sca68
-
MD5
91592318966139c15e0171f341882fc8
-
SHA1
a6689f85a42ce934c3e96a9088f67c48e2e1fe83
-
SHA256
2ece30c08f63f4fdc4d7326b39aa0066938163811e35d1aef6ddd2e0fada475f
-
SHA512
abfd94393776b2fc7aa418f66487813a78c18b4704a3e9fd15d0ae99f9b8a28ee7dbe28edaff425a7f5a85005b324262e88a638caa098abc2f4e7fc4e8e44d99
-
SSDEEP
12288:s8ImEuiETpbmqOwYG0JHK9Do7Uw82OpdYL445DR8jIQpOQgMUA23RzD1Kl4Ev5kR:s8I+b9CG0JHKG718izDa+x
Static task
static1
Behavioral task
behavioral1
Sample
order-payment094093.exe
Resource
win7-20240221-en
Malware Config
Extracted
formbook
4.1
hd05
businessjp6-51399.info
countyyoungpest.com
taxilasamericas.com
stairs.parts
nrgsolutions.us
cbdgirl.guru
dropshunter.net
adorabubble.co.za
alcohomeexteriors.com
aquariusbusiness.info
zaginione.com
pintoresmajadahonda.com
fursace.club
musiletras.co
carpoboutiquehotel.com
redacted.investments
symplywell.me
lezxop.xyz
stmbbill.com
1509068.cc
savdesign.online
gaiacoreresearch.com
pivoluvva-usa.com
kathrynmirabella.com
ziplnk.xyz
furanoikedanouen.com
regenesisvista.world
lorenzodavissr.com
friendlyemporium.com
7727.info
moledistillery.com
geturpdtaemza.com
sparkfirestarter.net
q3hjns.shop
thingsidonaked.com
attack.info
salihkaradag.com
vn6b6q.com
thierrydoublein.com
buddhasiddhartha.com
uniqueofferss.com
trexendofparadise.club
evans-gdaddy-test-domain.online
kgroundx.com
2us7o.us
damtherncooling.com
kakashi-hatake.shop
blogonrunning.com
lovepox.com
ramediatech.online
satwaspin.net
greenink.store
tuskerlogix.com
codyscalls.com
system.ngo
connect-talent.com
addck.top
teramilab.com
yuyuklmn123888yy.xyz
9orwr6.vip
nubeqa77.life
lmpalmour.com
sandeshkrantinews.in
find-buildings.com
vagabondtracks.com
Targets
-
-
Target
order-payment094093.exe
-
Size
760KB
-
MD5
91592318966139c15e0171f341882fc8
-
SHA1
a6689f85a42ce934c3e96a9088f67c48e2e1fe83
-
SHA256
2ece30c08f63f4fdc4d7326b39aa0066938163811e35d1aef6ddd2e0fada475f
-
SHA512
abfd94393776b2fc7aa418f66487813a78c18b4704a3e9fd15d0ae99f9b8a28ee7dbe28edaff425a7f5a85005b324262e88a638caa098abc2f4e7fc4e8e44d99
-
SSDEEP
12288:s8ImEuiETpbmqOwYG0JHK9Do7Uw82OpdYL445DR8jIQpOQgMUA23RzD1Kl4Ev5kR:s8I+b9CG0JHKG718izDa+x
-
Formbook payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-