General
-
Target
PO - 04755 .bat.exe
-
Size
541KB
-
Sample
240701-p2zrkssela
-
MD5
37f3b2a7f84422ea9fce13bcc170461b
-
SHA1
b2d8ac2774b12ffc4412435224398f3909bc8ceb
-
SHA256
7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71
-
SHA512
604aeeaf52c3aaab4e1a46ec2879d7b8e6f68ce0168e2f7ffc4f970b1633a2752959816bde10bbe19946a0ae7a2e9d373979554729fc7ed9366e1c5516b6639a
-
SSDEEP
12288:YEuIQ8LBZ0BJxONHZZZxa3qBHkKbdUKSaEpkAE5YWOzxRwzPE58bm:XlXBWDxOpxk3qBHkcWgEppEWzxRw458K
Static task
static1
Behavioral task
behavioral1
Sample
PO - 04755 .bat.exe
Resource
win7-20240419-en
Malware Config
Extracted
formbook
4.1
45er
depotpulsa.com
k2bilbao.online
bb4uoficial.com
rwc666.club
us-pservice.cyou
tricegottreats.com
zsystems.pro
qudouyin6.com
sfumaturedamore.net
pcetyy.icu
notbokin.online
beqprod.tech
flipbuilding.com
errormitigationzoo.com
zj5u603.xyz
jezzatravel.com
zmdniavysyi.shop
quinnsteele.com
522334.com
outdoorshopping.net
7140k.vip
appmonster.live
rvrentalsusane.com
berry-hut.com
h-m-32.com
aklnk.xyz
project.fail
thelbacollection.com
ternkm.com
331022.xyz
qhr86.com
casvivip.com
f661dsa-dsf564a.biz
holisticfox.com
taobaoo03.com
kursy-parikmaher.store
reignscents.com
wot4x4.com
axoloterosa.com
instzn.site
nn477.xyz
jwsalestx.com
cualuoinuhoang.com
sagehrsuiteindercloud.solutions
2ecxab.vip
lottery99nft.xyz
budakbetingbet43.click
plaay.live
drmediapulsehub.com
bahismax.com
clareleeuwinclark.com
clarimix.com
ssongg11913.cfd
shapoorji-kingstown.com
detoxifysupplements.info
easy100ksidegig.com
abramovatata.online
barillonfo.net
keendeed.com
yunosave.online
pptv05.xyz
malianbeini.net
polariscicuit.com
sahibindencomparamguvend.link
used-cars-99583.bond
Targets
-
-
Target
PO - 04755 .bat.exe
-
Size
541KB
-
MD5
37f3b2a7f84422ea9fce13bcc170461b
-
SHA1
b2d8ac2774b12ffc4412435224398f3909bc8ceb
-
SHA256
7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71
-
SHA512
604aeeaf52c3aaab4e1a46ec2879d7b8e6f68ce0168e2f7ffc4f970b1633a2752959816bde10bbe19946a0ae7a2e9d373979554729fc7ed9366e1c5516b6639a
-
SSDEEP
12288:YEuIQ8LBZ0BJxONHZZZxa3qBHkKbdUKSaEpkAE5YWOzxRwzPE58bm:XlXBWDxOpxk3qBHkcWgEppEWzxRw458K
-
Formbook payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-