General
-
Target
PURCHASE ORDER.exe
-
Size
378KB
-
Sample
201109-7g9t2svh9n
-
MD5
c284f72d5a76d0ff86ed2c35c74ebe89
-
SHA1
ceeae846adc4e2f121f601c7d3cf13a1b9ebff33
-
SHA256
916badee0304605bfd8e43c11179fb975d094226a432eeb28af55dc9be426c24
-
SHA512
240b5096045ba660bddf27f0ff26031a99b5ecf005094ad91df019ad7b832a64102b009a7d1187bd946951912730108469c36b37a2925596a641a7becf2d9469
Behavioral task
behavioral1
Sample
PURCHASE ORDER.exe
Resource
win7v20201028
Malware Config
Extracted
formbook
http://www.mansiobok3.info/ch62/
priceground.com
protmaxvigilancia.com
allyboom.com
calimerkids.com
behproject.com
everxs.com
peertopeervaluetrading.com
asosdiscountscode.com
supersoloblitz.com
allindiaexpo.com
mountainpunks.com
lawberrys.com
myinsuranceclaimconsultants.com
autoberles.center
xn--circuitomioulla-7qb.com
beheartratemonitoringkey.live
bigcitypillows.com
tresriosresortoffers.com
ratmanrodentremoval.com
fujiaseed.com
140117.com
babyandkidexpo.com
bolduan-electronic.com
unreadytowear.com
portsaid.today
5oo50042.com
qiangbaoshou.net
hoptovine.com
coastalchiropracticcoverage.com
abeabogado.com
dancourvilleclhev.com
opebet915.com
justin-freeman.com
foodpursuits.com
pinjuanbao.com
900gamecz.com
andelmanconsulting.com
milandicic.com
airexpertservices.com
leaginac.com
strongzhen.com
gaikokujin-jinzai.com
runtu.ltd
cruisia.com
violaperitivo.com
amulyakandikonda.com
shorelaketampa.com
evyandella.com
robertodammora.info
micro-fut.com
caminhosdoacre.com
mikifamily.com
wellsassistancefargoalert.com
coyo.ltd
aldeiaterra.com
wishfuldreamnewportnews.com
maker-cnc.com
ruralvia2acceso.net
freetraffic2updatesall.win
pub-sora.com
vizcaps.com
yychsm.com
ayudameperu.com
smyeocut.win
Targets
-
-
Target
PURCHASE ORDER.exe
-
Size
378KB
-
MD5
c284f72d5a76d0ff86ed2c35c74ebe89
-
SHA1
ceeae846adc4e2f121f601c7d3cf13a1b9ebff33
-
SHA256
916badee0304605bfd8e43c11179fb975d094226a432eeb28af55dc9be426c24
-
SHA512
240b5096045ba660bddf27f0ff26031a99b5ecf005094ad91df019ad7b832a64102b009a7d1187bd946951912730108469c36b37a2925596a641a7becf2d9469
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-