General
-
Target
b342d170c6371e2d496b49b114e9c5834038d7292e63026f864e514378fb72b4
-
Size
284KB
-
Sample
220521-cq4j6seda2
-
MD5
3f7e05fa66b984077831615e3979b7f9
-
SHA1
4128dd01c0c99e54cd03f74b64c632aeffecc68f
-
SHA256
b342d170c6371e2d496b49b114e9c5834038d7292e63026f864e514378fb72b4
-
SHA512
294b8300fae5c1b654c270daa8d4339000f4b4dd201902334650e303f52e849e633d363cb1d2bae8371658862d1f72086e97311565ae8c46e3090de391557d83
Static task
static1
Behavioral task
behavioral1
Sample
TT copy 2094782.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
app
niresandcard.com
bonusscommesseonline.com
mezhyhirya.com
paklfz.com
bespokewomensuits.com
smarteralarm.info
munespansiyon.com
pmtradehouse.com
hotmobile-uk.com
ntdao.com
zohariaz.com
www145123.com
oceanstateofstyle.com
palermofelicissima.info
yourkinas.com
pthwheel.net
vfmagent.com
xn--3v0bw66b.com
comsystematrisk.win
on9.party
isnxwa.info
my-smarfreen3.com
eareddoor.com
kfo-sonnenberg.com
conceptweaversindia.online
ledgermapping.com
fashionartandmore.com
broemail.com
bs3399.com
minds4rent.com
182man.com
dionclarke.com
naakwaley.com
huoerguosicaiwu.net
langongzi.net
haz-rnatresponse.com
confidentcharm.com
yshtjs.com
phiscalp.com
walletcasebuy.com
history.fail
al208.com
kitkatwaitressing.com
fxmetrix.com
riyacan.com
garrettfitz.com
worldaspect.win
serviciodomicilio.com
yngny.com
acaes.info
jujiangxizang.com
mysteryvacay.com
extensiverevive.com
feelgoodpainting.com
dtechconsultants.com
manufacturehealth.com
khmernature.com
archaicways.com
westlakegranturismo.com
transporteselruso.com
cultclassics.net
anne-nelson.com
warminch.com
bihusomu40.win
norjax.com
Targets
-
-
Target
TT copy 2094782.exe
-
Size
358KB
-
MD5
9d4da0e623bb9bb818be455b4c5e97d8
-
SHA1
9bc2079b5dd2355f4d98a2fe9879b5db3f2575b0
-
SHA256
091ff5f5bab1cbb2d27a32fedaff1f64dd4004e4a68665e8d606e28585d928a8
-
SHA512
6e6fab5f4a045349717762ff782527e778b40c5f41ce32428c63aea0dd6e8b73bfdaf3ac55474275f716e9f84632906196edafc4337d816055a69b2ea0904e37
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Adds policy Run key to start application
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-