General
-
Target
Payment_4372889.exe
-
Size
735KB
-
Sample
210118-avl64cppqe
-
MD5
d7e382bb4854061f9fc7a9806da0d7af
-
SHA1
07150c8377209b185e017d858f0cd6704ab2c732
-
SHA256
ee559d67bcad95fc4e1e6c867908b0b84338472a30d28d34da415c7efbd48f2b
-
SHA512
2f1ae72ebc57a8b312740425113240a0de56aab10c2248f31b7f66e452a30f2583e32bfaaaacf9f3f4ee692aef09196477075441d5be24ad6be7630137b22a25
Static task
static1
Behavioral task
behavioral1
Sample
Payment_4372889.exe
Resource
win7v20201028
Malware Config
Extracted
formbook
http://www.merckcbd.com/dei5/
studiomullerphoto.com
reallionairewear.com
dogsalondoggy-tail.com
excelmache.net
bigdiscounters.com
7986799.com
ignition.guru
xiaoxu.info
jpinpd.com
solpool.info
uchooswrewards.com
everestengineeringworks.com
qianglongzhipin.com
deepimper-325.com
appliedrate.com
radsazemehr.com
vivabematividadesfisicas.com
capacitalo.com
somecore.com
listingclass.net
romel.codes
mybettermentor.com
hxc43.com
btccvil312723.com
rudiskenya.com
internationalrockmusic.com
wudiwifi.com
scienceacademyraj.com
tumulusinnovations.com
studioeduardobeninca.com
formabench.com
ribbonredwhiteandblue.com
miningequipmentrental.com
myamom.com
riversportswear.net
14505glenmarkdr.com
nikolcosmetic.com
toninopr.com
cutfortheconnect.com
nl22584.com
mezokovesd.com
rozhandesign.com
futbolki.space
rmobipanoshop.com
merchmuslim.com
recurrentcornealerosion.com
enottampan.com
vasquez.photos
koreanmindbeauty.com
andressabode.com
thetwolouises.com
weberbyroble.com
followmargpolo.com
englishclubb.online
sorryididnthearthat.com
greatlookfashion.club
cartoleriagrillocatania.com
esteprize.com
sdsej.com
phiecraft.xyz
psm-gen.com
passivefiresafe.com
homeyplantycosy.com
0343888.com
Targets
-
-
Target
Payment_4372889.exe
-
Size
735KB
-
MD5
d7e382bb4854061f9fc7a9806da0d7af
-
SHA1
07150c8377209b185e017d858f0cd6704ab2c732
-
SHA256
ee559d67bcad95fc4e1e6c867908b0b84338472a30d28d34da415c7efbd48f2b
-
SHA512
2f1ae72ebc57a8b312740425113240a0de56aab10c2248f31b7f66e452a30f2583e32bfaaaacf9f3f4ee692aef09196477075441d5be24ad6be7630137b22a25
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-