General
-
Target
2adb8bdadf9867460dedfccd61ab3b0fde0af1211b914611f8ea4920f68eaca8
-
Size
536KB
-
Sample
220521-a3sbkaecan
-
MD5
d181f7b36ac1fa53299a961be35356c5
-
SHA1
58fba48328ce1964e3846538636f487adc9bebb2
-
SHA256
2adb8bdadf9867460dedfccd61ab3b0fde0af1211b914611f8ea4920f68eaca8
-
SHA512
387e35f6ecf7c2030ff2699aeee316b4495be31ec7d62ba06c781511e8beded03668fa518b6b2459b82ad30d3fb5fd6ae55becbe79c9577e9e4b1a287938f160
Malware Config
Extracted
formbook
4.1
wus
generativecoaching.net
skillmosaic.com
practicalmaster.com
12aminmiami.com
instagramsupport.online
mainelse.net
qqysmr.com
wealthxd.com
videoadscreator.com
dltzscl.com
cotaforjulyans.com
forcend.com
shinjukufilm.com
bsq30.com
dragonsrose.net
loganbuys.com
wwwfitnessymusica.com
microbladingdublin.com
corporateiconic.com
sunshinegroupnyc.com
Targets
-
-
Target
PL PI.exe
-
Size
483KB
-
MD5
a55080b594286b0ccaf24ea05141293d
-
SHA1
1b7076439313bd90da6d37263a297fb613efc82a
-
SHA256
0707523c23666b0535673287616ea82b34e810594ddf19c45a0746d1bd697070
-
SHA512
fbf9b42a524985ca74de35338b0968bc54bae7b5b5693927e8a33d0be3175486966e863fcb1b98433d31ad3186cbdc80799e648e82f2a37c7f81a2a62e4445e1
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-