General
-
Target
97c8b86636fb4b9c0c95d9c445d89cb712e2776b3e514295a72d11601450709a
-
Size
271KB
-
Sample
220521-adfapscheq
-
MD5
4dbe32bf405ac8daa47053f64eac4776
-
SHA1
f2dfe82b1b53d902811ff84cef9ed9b3f7676ae4
-
SHA256
97c8b86636fb4b9c0c95d9c445d89cb712e2776b3e514295a72d11601450709a
-
SHA512
0081935509f0f6345e385de3b8ad7ae35f2f0ba85c4dc4ee2ef8676e2f37f9ce44d268ec25c8110f1e01c3543799571769a45be727062ebdb64714ad6b3005a6
Static task
static1
Behavioral task
behavioral1
Sample
SOA 22072020.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
hnh
stackingplans.info
landscapingcanberra.com
apxlegal.com
gzajs.com
senladvocaten.com
stephanieabella.com
indivmgtsvc.com
wildlife-botanicals.com
fingrfull.com
ustar-electric.com
timesharebefree.com
safefirstresponder.com
giliticketoperator.com
silverstarscents.com
4752condordrive.info
joomak.net
new-auto-news.com
ottodesign.store
kxg01.com
chrisoncreation.com
robielutsey.com
dhayaltechsystems.com
giftbizz.com
outpost-security.com
wwwjinsha937.com
pro-piedades.com
buffalocoresupply.com
netw.site
gooddayrental.com
qingyujian.com
atiasyariv.com
immaver.com
intervention4change.com
landlockedtraveler.com
onionfaucet.win
fairygroundsocks.com
adrianscharfetter.com
prolumen.biz
ibkmalakhit.net
rivertownehomeforsale.com
productsarehard.com
recoreltd.com
111972.info
wahzik.com
lackyshopping.com
xn--u8jxbl0m2g4a1h6q.com
ousxqh.men
bobingxiaochengxu.com
fullkiwi.com
dearwaltdisney.com
njduqiang.com
firesideeditions.com
cuagonhuaviettin.com
imaginethatideas.com
tian.agency
astrosolarfast.com
chosentechshopandreview.com
avatar99.com
lakazanono.com
news-chinatimes.com
www245234.com
hojespecial.com
x13q876dvq.com
tmtcaa.info
patlod.com
Targets
-
-
Target
SOA 22072020.exe
-
Size
371KB
-
MD5
8f0593680392f53ee586bb66c2885d8f
-
SHA1
320d855a8797fbd3bbd9871c9ac747c9fba1c73d
-
SHA256
c53c864741e005d5b04ca3349e81597e61b8ee3ecd7a03cddd2d15d955cbb04a
-
SHA512
cf5ba58c64c9c25263bfb18528358659e08384fddf41ff7619308abf4962860a281a2ef91ca4321c0da5ae7af4764c6e9f3e5ba3991fbc5c5293a32df744e535
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Adds policy Run key to start application
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-