General
-
Target
44696d252000850d3ea71d9ae238aedc
-
Size
1.0MB
-
Sample
210915-h65easdbcn
-
MD5
44696d252000850d3ea71d9ae238aedc
-
SHA1
1fb61a1df500f9025641526cb4013d555b129a84
-
SHA256
1b39d6bf218028dfe7bc8254a3b1682804e9bf05b8298c708c318236f64ad986
-
SHA512
e1115a0a70b6d532633c1c60733a2aebbdc9e14863deaec7f6e15604c20f9f3ce3d36132ec2b814a4c774b25a6c4c8ccad4003724b98abead2be3f752b9d6314
Static task
static1
Behavioral task
behavioral1
Sample
44696d252000850d3ea71d9ae238aedc.exe
Resource
win7-en
Malware Config
Extracted
formbook
4.1
vtkz
http://www.luxuriousshoestop.com/vtkz/
todaynewsbuzz.com
bootwish.com
michelleortegawrites.com
tutorialme.com
daretoplaygames.com
telefonepantalla.com
advisorsoncall.life
marketingloisirs.com
cremationmtzionil.com
lgbtsuccess.com
cassandrawind.com
globaltradepay.com
thecafeart.com
starmobilehome.com
ugotshot.com
c03eeniom.store
afcerd.com
eleyhexs.com
utmmarhitzfil.com
saudiisrael.com
avanzanegocio.com
round-n.com
marketingdestatus.com
hibiskushomos.site
ignitemyboiler.com
lyofio.com
appltimized.com
mhughescreative.com
bournesolutionsgroup.com
byhollyb.com
space-holder.com
hchgroupconstruction.com
datamaticsbsl.com
vrsgw.com
erectwaves.com
playlinedomino.xyz
home-secure24.com
hausofdeme.com
jessejamesammo.com
theadventuringsmiths.com
expertsenegal.com
curemelaser.com
phatsarasinghapanich.com
mysacredone.com
out-n-play.com
us-m-patpat.com
nihilichor.com
revistadominga.com
q6talkspod.com
hoteltubsurroundinstallers.com
endlesshealthdiet.com
activwr.com
kalashaddict.com
sbo2008.com
anigloo.com
funtolearnthai.com
eflea.world
camisetasretrodefutbol.com
ycxswh.com
bhavishyalabs.com
hustlerhost.com
villasantonio.com
hedwig1000.com
casasruralesencazorla.com
Targets
-
-
Target
44696d252000850d3ea71d9ae238aedc
-
Size
1.0MB
-
MD5
44696d252000850d3ea71d9ae238aedc
-
SHA1
1fb61a1df500f9025641526cb4013d555b129a84
-
SHA256
1b39d6bf218028dfe7bc8254a3b1682804e9bf05b8298c708c318236f64ad986
-
SHA512
e1115a0a70b6d532633c1c60733a2aebbdc9e14863deaec7f6e15604c20f9f3ce3d36132ec2b814a4c774b25a6c4c8ccad4003724b98abead2be3f752b9d6314
-
Turns off Windows Defender SpyNet reporting
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Nirsoft
-
Executes dropped EXE
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file
-
Loads dropped DLL
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-