General
-
Target
LOI.exe
-
Size
730KB
-
Sample
210120-z2fqle586n
-
MD5
17069e546f158a94eebb67883783f236
-
SHA1
78bf28fc9cfc94fa4b0232d25b3eeebcc1d823e2
-
SHA256
55e40397f7933e9ae3826ebb13481d4f91f31dd7c8e4de461f5f90679c05ffc6
-
SHA512
5ae9a6ff39d634c28750a6dea20956dadb29aac92621ac16fb7800fded33de1202ea0e82bd187da0eff2cbbdba7039f821a196e7c0b367aeeb5e18b3ba9f788d
Static task
static1
Behavioral task
behavioral1
Sample
LOI.exe
Resource
win7v20201028
Malware Config
Extracted
formbook
http://www.myoasisforhealing.com/zu8g/
teamhumanity2020.com
nestennhome.com
suamaylanhmiennam.com
antigermpros.com
lisatfashions.com
5509bet04.com
vpncreate.com
rangers3.xyz
kotaskeyschains.com
manatapmasalalu.com
mordo.asia
ranelpadon.com
tisnmao.com
eatsourdough.com
spreadthelovestophate.com
superiorvillage.com
ecualeaf.com
tribelogy.net
kaway.online
xp055.com
growrich.club
ascarpetcleaners.com
sanpinjs.com
immobilienpreis.email
havenjet.com
ubolacabs.com
maggiegiftshop.com
2bfittherapy.com
wbarmsheepandwool.com
nilranker.com
igebiotech.com
arvindheeyounginfosys.com
thaimond.com
goldenchanceauction.com
oryet.com
working-girl.co.uk
fineartnotebook.com
jeevesplus.com
sciencekritieducation.com
rokstrapseast.com
propertysettlementrefund.com
wwwgraciescottage.com
syduit.com
theprivateeyeguy.com
etihadonlinebanners.com
nathanadaniel.com
galaxyhorror.com
blockchainautoloans.com
oneroomarthouse.com
wse.green
plussize247.com
soroseco.com
code-des-4-cles.com
russtybeats.com
gogreenaromas.com
igualandocaminos.com
savageitaly.com
mymusicalmindfulness.computer
olleaf.com
hicopoe.space
elkinsnazarene.com
cancelmind.com
dearsisterbeauty.com
garrettthorn.com
Targets
-
-
Target
LOI.exe
-
Size
730KB
-
MD5
17069e546f158a94eebb67883783f236
-
SHA1
78bf28fc9cfc94fa4b0232d25b3eeebcc1d823e2
-
SHA256
55e40397f7933e9ae3826ebb13481d4f91f31dd7c8e4de461f5f90679c05ffc6
-
SHA512
5ae9a6ff39d634c28750a6dea20956dadb29aac92621ac16fb7800fded33de1202ea0e82bd187da0eff2cbbdba7039f821a196e7c0b367aeeb5e18b3ba9f788d
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-