General
-
Target
b13f0477dc1fa39cf53bb31ea61dc7068e57135953283538cb16155703d6c609
-
Size
349KB
-
Sample
220521-crqdyahder
-
MD5
fd8dd42ea9367a5baec9cceb9b3475c7
-
SHA1
75083c96ed2cfcc7e6eb335ac7d0dd7f5e2bfcd0
-
SHA256
b13f0477dc1fa39cf53bb31ea61dc7068e57135953283538cb16155703d6c609
-
SHA512
30c138778a14e9d6c2d27d8f1518ab8465969ea2dc7517e48db6083b7378295a67cd3fa697727fdd309d95cba8793ace11564d072e2a74427217b4f3b9c76981
Static task
static1
Behavioral task
behavioral1
Sample
mgkreERjvr7XiMz.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
duj
deapink.pink
tkmdz.com
nytzshicai.com
photos-identite-dijon.com
ekanun.net
xn--fiqy4bxl57l9sag6f6wb.ink
slivercat5.com
ai-ethics.net
510ns.com
inotherways.com
ridesharesettelment.com
zjxiangnong.com
aoraessentials.com
sheap-list.com
heshengqy.com
experts-comptables-paris-17.com
parissummerolympics2024.info
gtyx88.com
devopsonjob.com
vodacred.com
kandilakes.com
digitalcoincollective.com
seedrazer.com
24houremergencyroomnearme.com
xn--lg3bu5if3f.com
557486.top
czqfkj.com
running0711.com
aimwizard.com
holdingtoken.com
qgyldzw.com
mt1618.com
chiquicreates.com
0pe345.com
shopmomsthebomb.com
cheerzhangover.com
tascoxuanphuong.info
suitablepersonalprotection.com
dh12345.com
pixelfocusphotography.com
tianhegongcheng.com
foodsweet.com
hoamailand.com
btr96.info
eatsmartcookie.com
studebakergs.com
110422.info
infoicobit.com
northeastphillyshuttle.com
lover-road.com
pacificsolo.com
intangiblebitcoin.info
quericus.tech
indianchemicalmart.com
trublueroanokeva.com
apollontimes.news
interiordesignersudbury.com
klarkindustria.com
fraisgr.com
marketersarbitrage.com
adoriagroep.com
hxjfqe.com
stoneandstran.com
genkicoffee.com
spatren.com
Targets
-
-
Target
mgkreERjvr7XiMz.exe
-
Size
404KB
-
MD5
332c98e548482176fda185f932f2ed18
-
SHA1
8bd6cfdc0950cd2fad8f64765b6107cc2d6f87eb
-
SHA256
ce6d1fc239eb571fde9427c0d7f11d7b6a7a1c0466711524b690ca0de3556a6b
-
SHA512
20a1a33c6e4358469ea2227687fdcb7eec13503a483c866e4196ac70a639b8320e496d6b2bb75facbd0789e0bd01aed1c9bfa0626c3b136c99b27b8840d5696a
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Adds policy Run key to start application
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-