General
-
Target
3b4194ae562a6c919c783536050e827de39ba0b00c6df58cf9e7083c19dddf53
-
Size
998KB
-
Sample
220521-bwe84aceg2
-
MD5
92d916b0bef62cc9ef9fa0c14b9436b1
-
SHA1
c4472e6162357ed64f152dbb130f782f5492a759
-
SHA256
3b4194ae562a6c919c783536050e827de39ba0b00c6df58cf9e7083c19dddf53
-
SHA512
5b1c62eb0a90148e6f848e29ee656d8f387629bcfdf0f662817149050314e7f4afdeb7b5597ad79c502b9e9b9f2ec5d0ca8ffc46f6b855a577702126d28d805e
Static task
static1
Behavioral task
behavioral1
Sample
New PI PL.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
wus
generativecoaching.net
skillmosaic.com
practicalmaster.com
12aminmiami.com
instagramsupport.online
mainelse.net
qqysmr.com
wealthxd.com
videoadscreator.com
dltzscl.com
cotaforjulyans.com
forcend.com
shinjukufilm.com
bsq30.com
dragonsrose.net
loganbuys.com
wwwfitnessymusica.com
microbladingdublin.com
corporateiconic.com
sunshinegroupnyc.com
cpc000.com
aerialliftland.com
50j6tfl4t7.biz
phransus.com
sepez.com
alephmim.com
mobster.tech
armanismiami.com
maviswancyzk.com
prephurricane.com
danielryanwrites.com
niruli96.party
westgastro-lbc.com
gofoodieweb.com
daveselectricalco.com
treasuresofwallstreet.com
ebaychinadirect.com
michaelmaffait.com
konnect-4.com
weiguanwo.com
joycestravels.com
allstatehurricaneirmaclaims.com
necoservicios.com
kuishei.com
twentydc.scot
semohomesource.com
graymensociety.com
jswmpc.com
tlpropertybuyers.com
azteccar.com
thesourcespirit.com
fhtps.com
sabrinacameron.com
130aa4.com
junowagashi.com
seocherubin.com
fashionnpva.com
photoidrental.com
sierraassets.net
zhubao258.com
athenscraftbeerexpo.com
zzizzle.net
greengoenvironmental.com
goveducc.com
howcuty.com
Targets
-
-
Target
New PI PL.exe
-
Size
945KB
-
MD5
332e036148c15d2453735b513bb8d693
-
SHA1
ffe088da337a5d87baeb1f3de49f83ff6a607c0a
-
SHA256
d4cca60154fcc667ada19dffbac16f84b51691a540daf850a766b91bd46544fe
-
SHA512
099a9ad6dd681e580e7ab0ab1798a51ccb9ce92a9ed001e7a8e49f0c57a714932cbc20c06670683fdb67be1ab88ba4b54e4f67568884deed1bc8921ecee4aed9
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-