General
-
Target
Invoiceo.exe
-
Size
749KB
-
Sample
210503-kyy6tqs8z2
-
MD5
8f2489d7ce50e99109af9925818daf2b
-
SHA1
5481d53e59fda1e0d849b677e15b410ba6f64fbc
-
SHA256
0013853950647289e952326b93ce46aa3e73db654367ef3c005e29257db31fba
-
SHA512
e68ac0d33ddecb3712068f94b3a1459f57b26a9e74e970cb7f4ce2f1e64341d72294b2907049e738d115807ef9bd9e622483b64c2e2b26cc228df52a42195268
Static task
static1
Behavioral task
behavioral1
Sample
Invoiceo.exe
Resource
win7v20210408
Malware Config
Extracted
formbook
4.1
http://www.swim-maki.com/csi/
crazyonlineboutique.com
nelivo.com
chibimama-blog.com
teachersofnyc.com
rare-snare.com
sunriseatlennox.com
innovate-nation.com
mahowebcam.com
foodbyroyalbites.com
nkm580.com
premiumplanterboxes.com
uspaypausa.com
wto2b.com
evoocb.com
missilenttech.com
adtlive.com
guapeco.com
keepfaithful.com
djayhoward.com
cora-designstj.com
furrybasics.com
tabuk24.com
bioshope.online
naturaldesiproducts.com
ardreykellbaseball.com
irisettlement.com
bahama-id.com
lastweektonight.watch
professor-ux.com
lifecompetitions.net
axislnsmail.com
dohannor.com
powertuningfiles.com
analistaweb.net
baascompanies.com
gengkakmona.com
salonandspaexperts.com
mynet.ltd
lionandivy.com
shopalam.com
ana9aty.net
sandostore.com
theasigosysteminfo.com
academiadoaprender.com
akvirtualtours.com
hecoldwithit.com
stopsiba.com
credit780.com
ss01center.com
wristaidmd.com
s2nps.co.uk
kontrey.com
cheesecakedactory.com
bnytechnologies.com
enhancinggrowth.com
gorgeus-girl-full-service.today
bermudesfcrasettlement.com
beste-gruppe.com
lfntv.com
coronarestschuldbefreiung.info
positivechampions.com
roadsigntoday.club
oxytocin.online
bupamwhub.com
Targets
-
-
Target
Invoiceo.exe
-
Size
749KB
-
MD5
8f2489d7ce50e99109af9925818daf2b
-
SHA1
5481d53e59fda1e0d849b677e15b410ba6f64fbc
-
SHA256
0013853950647289e952326b93ce46aa3e73db654367ef3c005e29257db31fba
-
SHA512
e68ac0d33ddecb3712068f94b3a1459f57b26a9e74e970cb7f4ce2f1e64341d72294b2907049e738d115807ef9bd9e622483b64c2e2b26cc228df52a42195268
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-