flash

formbook_payload.exe

Status: finished
Submission Time: 23.09.2020 14:41:58
Malicious
Trojan
Evader
FormBook

Comments

Tags

Details

  • Analysis ID:
    289093
  • API (Web) ID:
    473299
  • Analysis Started:
    23.09.2020 14:41:59
  • Analysis Finished:
    23.09.2020 14:52:39
  • MD5:
    d6a689d265ef751ef429e140ac05cfff
  • SHA1:
    541c663afddfa3e55b6f83d1bc96a32bbb449a09
  • SHA256:
    fd0877627dc7213734ca8d6f6585ff8ef6e4ed8301a21bc570f39100d0c143a8
  • Technologies:
Full Report Management Report Engine Info Verdict Score Reports

malicious

System: Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211

malicious
100/100

malicious

IPs

IP Country Detection
13.251.251.159
United States
35.242.251.130
United States
162.144.235.163
United States
Click to see the 5 hidden entries
93.89.224.166
Turkey
34.102.136.180
United States
184.168.131.241
United States
23.227.38.32
Canada
3.12.100.242
United States

Domains

Name IP Detection
slothzzz.com
23.227.38.32
dns.ladipage.com
13.251.251.159
esrasuaklier.xyz
93.89.224.166
Click to see the 21 hidden entries
cartmedical.com
34.102.136.180
chsepd.com
184.168.131.241
balancer.wixdns.net
35.242.251.130
binaxnowcovid19.com
184.168.131.241
summitcreators.com
162.144.235.163
hbozoom.com
34.102.136.180
www.hbozoom.com
0.0.0.0
www.chsepd.com
0.0.0.0
www.grepreps.com
0.0.0.0
www.vaytiennhanhhn.com
0.0.0.0
www.binaxnowcovid19.com
0.0.0.0
www.mynetlfis.info
0.0.0.0
www.dynamosdills.com
0.0.0.0
www.xfgyzzm.icu
0.0.0.0
www.slothzzz.com
0.0.0.0
www.summitcreators.com
0.0.0.0
www.esrasuaklier.xyz
0.0.0.0
www.offerswap.online
0.0.0.0
www.cartmedical.com
0.0.0.0
prod-sav-park-lb01-1919960993.us-east-2.elb.amazonaws.com
3.12.100.242
www.harpoonchicken.com
66.96.162.138

URLs

Name Detection
http://www.cartmedical.com/agwz/?MnZ=GXLtz&LZND0=XyP58VnLar4+RAv/d7RGEOqH4pOR5mj5cf5OeBalLJidQaj9Eoj8z9kojfq3myKrE19m
http://www.slothzzz.com/agwz/?LZND0=Nm1g+Cr7PxAWjMuG/lXz57InbucQImWyPlJ6lo+2AgUBGhOlnrczzCcW0Z0mOFR6lVtp&MnZ=GXLtz
http://www.chsepd.com/agwz/?LZND0=hqqbBV0tUnbf1XYheYmcmAHV7six6FgMl/GeeF/i6LtxzIqJ3tJ1B/UEqdy/W9gVRkC4&MnZ=GXLtz
Click to see the 48 hidden entries
http://www.vaytiennhanhhn.com/agwz/?MnZ=GXLtz&LZND0=Of2aIFEqGqaZSU01tED2zDtUGS2BuTTC4sd6snsFqGWk/fnR2snxkIG75VHf2UAJ0o1B
http://www.summitcreators.com/agwz/?MnZ=GXLtz&LZND0=9QCoIfa5iCzEbN3Z+R0VQ9gIeVK3nbjlwZ/eYJgsZnRvtJdKzbJpmDYy8yv6f2R6bfqj
http://www.hbozoom.com/agwz/?MnZ=GXLtz&LZND0=y/yg6nca0XsCzu0iO/J1iPqqOPJ8yJtAtZIup4o9k847awKGzQIlIjJ6GOEhZcKx61/V
http://www.dynamosdills.com/agwz/?LZND0=yQ4M83h6mCL3szU05+AlLjJXCO7kj/quc7kP2vOtrjUS7HiKS67pwsdhPNRwpMvgRme+&MnZ=GXLtz
http://www.esrasuaklier.xyz/agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz
http://www.grepreps.com/agwz/?MnZ=GXLtz&LZND0=CH0nB3OluF49qRSz/OLk4EtJPMsMaw/iehJ+yYvfoA68c6qhDghDV8r53EnzBlz3EcTe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
http://www.fontbureau.com/designersG
http://www.fontbureau.com/designers/?
http://www.founder.com.cn/cn/bThe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
http://www.fontbureau.com/designers?
http://www.tiro.com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
http://www.fontbureau.com/designers
http://www.goodfont.co.kr
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
http://www.sajatypeworks.com
http://www.typography.netD
http://www.founder.com.cn/cn/cThe
http://www.galapagosdesign.com/staff/dennis.htm
http://fontfabrik.com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
http://www.galapagosdesign.com/DPlease
http://www.%s.comPA
http://www.fonts.com
http://www.sandoll.co.kr
http://www.urwpp.deDPlease
http://www.zhongyicts.com.cn
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
http://www.sakkal.com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
http://www.autoitscript.com/autoit3/J
http://www.apache.org/licenses/LICENSE-2.0
http://www.fontbureau.com
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
http://www.carterandcone.coml
http://www.fontbureau.com/designers/cabarga.htmlN
http://www.founder.com.cn/cn
http://www.fontbureau.com/designers/frere-jones.html
http://www.jiyu-kobo.co.jp/
http://www.fontbureau.com/designers8
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/

Dropped files

Name File Type Hashes Detection
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_formbook_payload_2ad36f1db2fadfb3a57e38280b737dd9b81d1f_0c7cfe27_07e8461e\Report.wer
Little-endian UTF-16 Unicode text, with CRLF line terminators
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FD7.tmp.dmp
Mini DuMP crash report, 15 streams, Wed Sep 23 21:42:50 2020, 0x1205a4 type
#
C:\ProgramData\Microsoft\Windows\WER\Temp\WER371B.tmp.WERInternalMetadata.xml
XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
#
Click to see the 1 hidden entries
C:\ProgramData\Microsoft\Windows\WER\Temp\WER38E1.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
#