General
-
Target
f3b163231a156797f336842bd4e6fce358ce875b7a06430c92d777eb84186f46
-
Size
349KB
-
Sample
220521-b98gssdea9
-
MD5
9d546a8d0f24206a897ff8e4b8af21f5
-
SHA1
6bb02c8e6887f29d20f843baa0e643574d724ac5
-
SHA256
f3b163231a156797f336842bd4e6fce358ce875b7a06430c92d777eb84186f46
-
SHA512
de1ac6bcd134429ed3120d27741cf77cc07a0ad4e3773dcf48d14379b8368feff9b42ec1df1d15fd2948c5a7e2f95788ed6a18249992b8ee5d7e43790c3f4a22
Static task
static1
Behavioral task
behavioral1
Sample
po456789__img.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
duj
deapink.pink
tkmdz.com
nytzshicai.com
photos-identite-dijon.com
ekanun.net
xn--fiqy4bxl57l9sag6f6wb.ink
slivercat5.com
ai-ethics.net
510ns.com
inotherways.com
ridesharesettelment.com
zjxiangnong.com
aoraessentials.com
sheap-list.com
heshengqy.com
experts-comptables-paris-17.com
parissummerolympics2024.info
gtyx88.com
devopsonjob.com
vodacred.com
kandilakes.com
digitalcoincollective.com
seedrazer.com
24houremergencyroomnearme.com
xn--lg3bu5if3f.com
557486.top
czqfkj.com
running0711.com
aimwizard.com
holdingtoken.com
qgyldzw.com
mt1618.com
chiquicreates.com
0pe345.com
shopmomsthebomb.com
cheerzhangover.com
tascoxuanphuong.info
suitablepersonalprotection.com
dh12345.com
pixelfocusphotography.com
tianhegongcheng.com
foodsweet.com
hoamailand.com
btr96.info
eatsmartcookie.com
studebakergs.com
110422.info
infoicobit.com
northeastphillyshuttle.com
lover-road.com
pacificsolo.com
intangiblebitcoin.info
quericus.tech
indianchemicalmart.com
trublueroanokeva.com
apollontimes.news
interiordesignersudbury.com
klarkindustria.com
fraisgr.com
marketersarbitrage.com
adoriagroep.com
hxjfqe.com
stoneandstran.com
genkicoffee.com
spatren.com
Targets
-
-
Target
po456789__img.exe
-
Size
403KB
-
MD5
8205a489fc508497b86443d6253e294b
-
SHA1
45e9e0b6dc9fce4583753e3cded6552844de0695
-
SHA256
6f4b543bdd425e2cb35fcc06f79dfac486985ae0d84133c34e0fd01b3a2c22bb
-
SHA512
b5099a16e8ad338574e6b5f5b57c0b160ff12fa75efbafe8e06dfa3de23611c54edddd9ef9e2fe30a424df733a93eafee452bdf7f5b344bb9629dff15353cd08
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Adds policy Run key to start application
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-