General
-
Target
3794a970aaf5b516a68ee78ca115981e289fb0af575d53c02efd860ef9a40d2a
-
Size
347KB
-
Sample
220521-a1fjzseagq
-
MD5
e3ad0c63ef186d3f865df7f93a81b125
-
SHA1
a7a09846d201736decb5db298821beb25f7acf56
-
SHA256
3794a970aaf5b516a68ee78ca115981e289fb0af575d53c02efd860ef9a40d2a
-
SHA512
92a2509dd3a3dfeb59c621c233cf522ee6c243eac91271e5184dd8f96ca591e03522aab3a7f2d6c8479f6c4cc4a338fcc9e618a06439be1ae155fe39e74c9736
Static task
static1
Behavioral task
behavioral1
Sample
comand? nou?.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
xczm
graceandnathangetknotted.com
myporndesires.com
alphagamingaccessories.com
51zhuimeng.com
196wrf.info
lubanzizhi.com
107xt.com
jatinangorcity.com
tumblrdatinggame.com
mtorc1inhibitor.com
boogxgenblm.live
iotaneuralnetwork.com
booksinclouds.co.uk
made-in-asiago.tech
myfunbooks.net
rglrgrl.net
azumiyakkyoku.info
qasryna.com
ara-digital.com
barnboost.com
vesseladmin.com
waixiangji.com
reubenarcherrocks.com
finewu.com
homeworkersguild.com
chifeng3.com
rickme.com
snorkellingcouses.com
orendafitness.com
thredami.com
icastmodeling.online
xuankhani.com
dup-sgrd-paris.com
nezamerzaika.online
alotkit.com
madisonventurepartners.com
ivybeyond.com
charitycareerscommunity.com
camdenairshow.com
theferrellcollection.com
kaigofan.com
ddgan59.com
smartfuturez.com
myroofgaf.biz
coyotevalleysaddleshop.com
danunsah.info
inqract.com
autovaldepereira.seat
tlcsigns.net
compassionateaccountability.com
buddhistbot.com
melloweducation.com
cardinalheroes.com
xcdysl.com
pinechain.com
5551005.com
keeperofthebeesnwnj.com
yk014.com
qmailrocks.net
indimeo.com
importinnovationconcept.com
007ind.com
markerclothing.com
bulletkingbedliner.com
fex-tracks.com
Targets
-
-
Target
comand? nou?.exe
-
Size
390KB
-
MD5
4213a0c5f1cb2ef588cc1097c21a3461
-
SHA1
dbf1b38120dd815f96660ba1af0889a599e0fa11
-
SHA256
7da99d277c87633b2aab117deab3bfdd6f9cef0d82172264f600e7b385892c37
-
SHA512
62e77591ab1446adf82b7ac705b5886eb3e17244574b00337efcfc99e69372cc3f7891364826aa30e27a47e04b936cd654cd9e59d1079e56c5e1f4f904055994
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Blocklisted process makes network request
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-