General
-
Target
3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
-
Size
747KB
-
Sample
240614-whnzas1ara
-
MD5
3cd2595e3d20f8200d3ddf84b81932de
-
SHA1
c05f5a5fd2e0da7be16621a5482541f3d492891c
-
SHA256
3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c
-
SHA512
fbc314a53bb2eeba48c0cf5793cc93b1f9361e62aa38de34c941d57bb677b0868e651ed46b783fef939c4b9659048b4a555c3e647201aae7ce1f9e9bf0731670
-
SSDEEP
12288:H7nYP1+rSlwFON6zXeEt+f2VtTwfyfyp4P7r9r/+ppppppppppppppppppppppp0:HDYP1+rDOkKderNqS1qU
Static task
static1
Behavioral task
behavioral1
Sample
3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
Resource
win10v2004-20240611-en
Malware Config
Extracted
formbook
3.9
cix
stephaniperold.com
sorairo12.com
palumasteknik.com
marketing4proptech.com
iwanttoheargod.com
structured-waters.com
sunvalleyvacations.net
sanketweb.com
tmasco.com
d-valentine.com
engmousavi.com
lithiumtolashes.com
texastramper.com
shoemall.store
beginningguitarbook.com
wonderlustnfairytales.com
bizinabox.store
kmacg.net
cashgold4cash.com
smtpguide.com
mmbl365.net
jmmjds.com
femmesquicomptent.com
izm-realestate.com
ingertona.com
getdge.com
sweeditalyphotography.com
entertainmenttoday.today
nwsouthroad.com
lstjs.com
sullivansandbox.com
adidasstoredk.com
thekalpataruyashodhan.net
illinoislaserengraving.com
wolvesretreats.com
voguestar-auto.com
haodao.ltd
bitsgo.net
ceramicsell.com
eee742.com
gryyt.info
stakeblock.com
ya-coffee.com
presidentialrxhealth.com
constructfed.com
toabetterworld.net
videostigers.com
xn--9swu6mv1h53c550dk8a.com
mushoku40dai.com
supercandylollipop.com
covepointmarineservices.net
salonluckyseven.biz
cameraddns.net
completereco.com
caripenyakitmu.com
enginewarninglights.com
yutaiwang.com
shoulu.info
max-bravely.net
interioriz.com
hongzhou.group
hpcustermercare.com
fitocoolvdwa.com
bigbrain.site
samperd.com
Targets
-
-
Target
3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c.exe
-
Size
747KB
-
MD5
3cd2595e3d20f8200d3ddf84b81932de
-
SHA1
c05f5a5fd2e0da7be16621a5482541f3d492891c
-
SHA256
3979bd4374308cc1a5a91f04c080b480dc4081dd2612aa2a9d1b504f09b7367c
-
SHA512
fbc314a53bb2eeba48c0cf5793cc93b1f9361e62aa38de34c941d57bb677b0868e651ed46b783fef939c4b9659048b4a555c3e647201aae7ce1f9e9bf0731670
-
SSDEEP
12288:H7nYP1+rSlwFON6zXeEt+f2VtTwfyfyp4P7r9r/+ppppppppppppppppppppppp0:HDYP1+rDOkKderNqS1qU
-
404 Keylogger Main Executable
-
Formbook payload
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Accesses Microsoft Outlook profiles
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-