General
-
Target
dbb2e50bc17ff79ae31d01a04ebc0f516a04ac28b5ffdd556a3dfc0541de5e3c
-
Size
271KB
-
Sample
220521-bm7a8acbd4
-
MD5
77dc078d1d6b77cf397a187581c494f5
-
SHA1
7321549c671c8993f3981f68fa4da86954ae8eb5
-
SHA256
dbb2e50bc17ff79ae31d01a04ebc0f516a04ac28b5ffdd556a3dfc0541de5e3c
-
SHA512
0b429bb6f75a94e12ef5fcf5cb4034bc7e3fbb31fada04742f066833e56673667c51928aa9d24b0add8946f29bf2758d2a1e017df5da9d388c78228f9e758347
Static task
static1
Behavioral task
behavioral1
Sample
Swift Copy Pdf.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
h0d
goredfriday.com
ez-sleep.com
xydrgzx.com
paintersjacksonville.com
878212315.com
hotchatcams.com
cavalierwebsolutions.com
spirituellleben.com
emeraldjaya.com
dxyuq.info
rupturefarms.info
cajunnavygear.com
fsqdi.info
thegettinplacewhy.com
z0oav.com
conceptionfitness.com
kraftinvest.info
youngpeoplefutureofnews.com
cvmascotas.net
mundoconnection.com
bionsecurity.info
copytoken.com
zdsyzy.com
ucoktiket.com
karihunter.net
asierfilms.com
boycottsprouts.com
etceterar.net
publicsquaremarket.com
eqy7g0.win
berspume.com
ssluav30.com
fontainedantan.com
codycrossanswer.com
jyptzs.com
freethecbd.love
mizcupcake.com
cesarxes.com
hobecogroup.com
jodistreats.com
lvtejie.com
10f9.com
tradehut.group
stonewoodestates.com
ft9tr.com
hotel-lao.com
aberrant.solutions
nonduality.party
jisenwang.com
jp-rechtsanwaelte.com
bornes-de-paiement.com
osy-pcb.com
calcalthegrey.com
abckreativ.com
kayamanagement.com
vivezpratique.com
freie-rituale.com
echtehandarbeit.net
goforpromo.com
mydz88.com
zsauces.com
nco7978.com
ddlearn.com
paternosterhikingtrails.com
godhep.com
Targets
-
-
Target
Swift Copy Pdf.exe
-
Size
324KB
-
MD5
9a426dc20fda9d009e9420df7b25d4be
-
SHA1
ee1b322966cc4c1c51a2d2cdf42146b9df551a0d
-
SHA256
a50d19ddd0b87fdc2529cfb1676f14297125443103286553fbcdf4ffa989f8e7
-
SHA512
21d19354008766a248a29ddeedfdf46320dd78fb478d480f941d47ea48028ca8843c816013d95ecec84c7fbe14bc1917fde1658b74cc54abaee93edfd065fd24
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Adds policy Run key to start application
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-