General
-
Target
a703fd2372483e4bbb75bc96dd4f0f95c489eede136451016106eb6c62636658
-
Size
1.2MB
-
Sample
220521-bqjpbsfcfq
-
MD5
a1244ca67b926fae807a19950991128f
-
SHA1
bfd56771284560488f9e28f65840880d7f130166
-
SHA256
a703fd2372483e4bbb75bc96dd4f0f95c489eede136451016106eb6c62636658
-
SHA512
25d36aac5e1fef344ddc1be9db97771e01597de9aa1ad3b36da9d5c6cb5188b9fa1b8902d6f5c161c20a3ad88d039de8f0f7cb828a9272824b7e325557132c4f
Static task
static1
Behavioral task
behavioral1
Sample
BANK_LET.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
23v
1l4m-5qeh0cgx9a.com
portsel.com
vypnxg.men
renrenbaoshangcheng.com
hulebang.com
heatburnio.com
amazingthunderworks.com
quantumreapers.com
8801i.info
moonlightmanager.com
bqypm.info
backlinkbarato.com
jiudianhuixun.com
markerbio.net
empety.com
eternalkollection.com
teknoshift.com
petitenobel.net
zlmqv.info
emotionalcontrols.com
mitesserentferner.com
kqhqmgxzhklkoo.win
shanghaihuayu.com
gauqc.info
beheartratemonitoringwow.live
sarfarazusmani.com
hamptonandjones.com
mywealth.coach
universidade-online.com
vannuysland.com
studio815.salon
cryptofinance.services
rawholisticnutrition.com
myplusha.com
ritireewaj.com
experimenty-it.info
supremeondemand.com
profeschaneldesign.com
mrdude.tech
devereaux.us
concussionawareness.net
bookboardz.com
beyondcurosity.com
keeperofthebeesnwnj.com
schoolofintrovertship.com
miscowil.date
ysz688.com
eec-lean.com
hennryusa.com
cosmemia.com
faxist.com
odjmusica.com
hgx-bmc.com
mangaromance.com
badnoordzee.com
garden-scope.com
sippingnpaintingcolorado.net
fineveherforb-12.com
storeketo.com
crappie-fishing.com
uwumwx.info
wyalusingbeverage.com
jindiandj.com
minimalistvetonabudget.com
godhep.com
Targets
-
-
Target
BANK_LET.EXE
-
Size
339KB
-
MD5
86bb43248e3ad56e9a839cc6c7b03282
-
SHA1
30afc80c7a9d14fb54cd799b2b2d552c9f2e138d
-
SHA256
286add28a79440668077a7d762ee81ee169f1c08daa27bc680dbf8c8832d2785
-
SHA512
17716ec8e1dbee062a3534eab62e0ba4b793ec94d6f64043493dfddb8424bd0d6a7d792e26d628f86d6acbf18ba671817d30ba243ebbac5a7b4255f8e19a6cc1
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Adds policy Run key to start application
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-