General
-
Target
68ac6f0ad7bce72b24cd1ed92e0ddeace4268c51281bfe030c4b8c3f38af6ec7
-
Size
484KB
-
Sample
220520-2yhp4sgbh8
-
MD5
50adff2b73c2d25ac4a3a40086f8cc18
-
SHA1
15d1c8954c852f8da67155aef5edd9a36a3b0799
-
SHA256
68ac6f0ad7bce72b24cd1ed92e0ddeace4268c51281bfe030c4b8c3f38af6ec7
-
SHA512
d48a841d735ede4bc3a3b2f41e104efe014ce21b3de468403af998f423e0e9c91b606ade8cd281e090daa1841ef5f5c48f2240b1aa9a1994241c2de8c1e47b9e
Static task
static1
Behavioral task
behavioral1
Sample
KRD2020000000002 PDF.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
hnh
stackingplans.info
landscapingcanberra.com
apxlegal.com
gzajs.com
senladvocaten.com
stephanieabella.com
indivmgtsvc.com
wildlife-botanicals.com
fingrfull.com
ustar-electric.com
timesharebefree.com
safefirstresponder.com
giliticketoperator.com
silverstarscents.com
4752condordrive.info
joomak.net
new-auto-news.com
ottodesign.store
kxg01.com
chrisoncreation.com
robielutsey.com
dhayaltechsystems.com
giftbizz.com
outpost-security.com
wwwjinsha937.com
pro-piedades.com
buffalocoresupply.com
netw.site
gooddayrental.com
qingyujian.com
atiasyariv.com
immaver.com
intervention4change.com
landlockedtraveler.com
onionfaucet.win
fairygroundsocks.com
adrianscharfetter.com
prolumen.biz
ibkmalakhit.net
rivertownehomeforsale.com
productsarehard.com
recoreltd.com
111972.info
wahzik.com
lackyshopping.com
xn--u8jxbl0m2g4a1h6q.com
ousxqh.men
bobingxiaochengxu.com
fullkiwi.com
dearwaltdisney.com
njduqiang.com
firesideeditions.com
cuagonhuaviettin.com
imaginethatideas.com
tian.agency
astrosolarfast.com
chosentechshopandreview.com
avatar99.com
lakazanono.com
news-chinatimes.com
www245234.com
hojespecial.com
x13q876dvq.com
tmtcaa.info
patlod.com
Targets
-
-
Target
KRD2020000000002 PDF.exe
-
Size
735KB
-
MD5
4e904adeaaeac677885bbe4c6be06a3a
-
SHA1
48fe1138bb8323fa29f5b9d7b8e02a97dc0c9afa
-
SHA256
d104548b154ac28142944b839993b9f0c8ad45d42a3e72d888aa8ba0e22562fd
-
SHA512
2803b5a5b4cab020a2a3bb1861601633ec8041a20946cd6f8fc57f5a936bf1f535ec3dc2a597c60f360ad4cc2a45f97b372be04351c9ac30ec9a053804e696ef
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Adds policy Run key to start application
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-