General
-
Target
a3aa28d96664fc95cf9b74941b6c0015e5c3d18dd5efcee33e1dd1773aa3316d
-
Size
306KB
-
Sample
220521-cv5ysshfcq
-
MD5
c6954abe475309997c919af83a0cf3eb
-
SHA1
277f10e1fd66665ee3fd03f3c21572c98c54fc5f
-
SHA256
a3aa28d96664fc95cf9b74941b6c0015e5c3d18dd5efcee33e1dd1773aa3316d
-
SHA512
3c4d398bbc3acf948e6e7e3944de3af21196b30f0d64c2aec77d20af486a919aace96a2dfd4ef95b7a8361f11dcb380cf771dad72d2d8373f60e52bbcee8f23a
Static task
static1
Behavioral task
behavioral1
Sample
H2pjyhEAKkZfHdt.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
duj
deapink.pink
tkmdz.com
nytzshicai.com
photos-identite-dijon.com
ekanun.net
xn--fiqy4bxl57l9sag6f6wb.ink
slivercat5.com
ai-ethics.net
510ns.com
inotherways.com
ridesharesettelment.com
zjxiangnong.com
aoraessentials.com
sheap-list.com
heshengqy.com
experts-comptables-paris-17.com
parissummerolympics2024.info
gtyx88.com
devopsonjob.com
vodacred.com
kandilakes.com
digitalcoincollective.com
seedrazer.com
24houremergencyroomnearme.com
xn--lg3bu5if3f.com
557486.top
czqfkj.com
running0711.com
aimwizard.com
holdingtoken.com
qgyldzw.com
mt1618.com
chiquicreates.com
0pe345.com
shopmomsthebomb.com
cheerzhangover.com
tascoxuanphuong.info
suitablepersonalprotection.com
dh12345.com
pixelfocusphotography.com
tianhegongcheng.com
foodsweet.com
hoamailand.com
btr96.info
eatsmartcookie.com
studebakergs.com
110422.info
infoicobit.com
northeastphillyshuttle.com
lover-road.com
pacificsolo.com
intangiblebitcoin.info
quericus.tech
indianchemicalmart.com
trublueroanokeva.com
apollontimes.news
interiordesignersudbury.com
klarkindustria.com
fraisgr.com
marketersarbitrage.com
adoriagroep.com
hxjfqe.com
stoneandstran.com
genkicoffee.com
spatren.com
Targets
-
-
Target
H2pjyhEAKkZfHdt.exe
-
Size
389KB
-
MD5
89d09a60f52f57c3ce453088e2e55929
-
SHA1
d44fce4891c9cbf331c2fe6d9d579f23b10f4089
-
SHA256
64379371f079edd1bb0d1a26a98e0a487c4e89a468f60674d803f929d24d3ecb
-
SHA512
f9c7e1ddc911d147146e9604dca1130f92e94589d4f9a415d7aa082910add68a7c7496ad633b6bea6abb9db5dcf1c8eb1b94a1dabe73f9e7ed067bc2cdd3ccdc
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Adds policy Run key to start application
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-