General
-
Target
LOI.exe
-
Size
809KB
-
Sample
210112-xz6tzal4qx
-
MD5
f55d280858080efac6e84da67a284d75
-
SHA1
816c8aea265cc8084bb5d9a5ad954eb295178524
-
SHA256
e2cc8c23ff3dc0294b72571080f92677314d758c5248ef77a839e1b62818df42
-
SHA512
72b01d2003c2aeaa90793d42d23922c6a6bbca5bd8c2abec10c114c419fd0a30b314c2491f9219ee29e266c2b0707089dcba514e7acd0a5df01de0275fbeddb5
Static task
static1
Behavioral task
behavioral1
Sample
LOI.exe
Resource
win7v20201028
Malware Config
Extracted
formbook
http://www.fenhouses.com/nhk9/
livinginroanokeva.com
entpiregaming.com
solutionsolvegh.com
glasgowcmr.com
gutesbenehmen.com
gracecitychurchmadison.com
linkalto.com
waahingtontimes.com
hxcked.com
buyung.xyz
asesormarketing.digital
bolodl.com
blushnbella.com
overhalldiesel.com
loveyorkshirecoast.com
puffpornandpizza.com
virgilisticlifestyleinc.com
clingnseal.com
artisantop.com
webinarsusa.com
motherhoodnewsletter.com
haxb33.xyz
jyumaiso-onsen.com
bitcoin-code.info
japoenes.com
asesoriasfc.com
paysamba.com
thesmartartcompany.com
leekus.com
buylowsellshort.com
theboringminds.com
jxycbj.com
hudsonconstruction-vplay.com
soeru-shop.com
burgersandbarley.com
sulinemedical.com
cxl-sales-solutions.com
billingswildlifetrapper.com
makeupada.com
secryptor.com
prismoutsourcing.com
lztlrl.com
africanhornspellcaster.com
singaporeair.club
xpj22151.com
gofmantaveras.com
foundflourish.com
stormwords.com
ammfx.com
chesterpamovers.com
sillysignificance.com
goodessentialsproducts.com
springbrookcreek.com
topseriespern.com
pettocushion.com
hy5designs.com
outsourcing-avocat.com
charmflare.com
manifestopop.net
globalworldavertising.com
azdoseofdesign.com
myparadisepartners.com
oakleticfitnesstraining.com
ecommerceprod.com
Targets
-
-
Target
LOI.exe
-
Size
809KB
-
MD5
f55d280858080efac6e84da67a284d75
-
SHA1
816c8aea265cc8084bb5d9a5ad954eb295178524
-
SHA256
e2cc8c23ff3dc0294b72571080f92677314d758c5248ef77a839e1b62818df42
-
SHA512
72b01d2003c2aeaa90793d42d23922c6a6bbca5bd8c2abec10c114c419fd0a30b314c2491f9219ee29e266c2b0707089dcba514e7acd0a5df01de0275fbeddb5
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-