General
-
Target
a260058a1fd26d9661a5258ef8deba43c34718a49da63ba059d21a7a6c1778de
-
Size
266KB
-
Sample
220521-cwfejaeeg4
-
MD5
840b556e294a738229690a21625c1e27
-
SHA1
7cfeb2b0500452bd21a0bfac14faf8533602246c
-
SHA256
a260058a1fd26d9661a5258ef8deba43c34718a49da63ba059d21a7a6c1778de
-
SHA512
88653a97ceda6a97aed4e58d96fe9c1e9cd5e2e5545465702d24ad79ff7a95eb75da2a24ce59c330d3ef326d42e2e7919fdba5c1ca338e3ed6563179db271390
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER NO7654567.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
wdm
rutherfordwomansclub.net
theclassicapplique.com
7-zd.com
kmngeg.info
claudinelloriot.com
bitcoinpride.info
mfmhdev.com
eenhar.com
onlinesmartnews.com
utilitariostucuman.com
find-quality-rentalcar.com
bodyartdnvr.science
silverfoxtail.com
zbrunda.com
killosaurus.com
heatheratl.com
xn--xhq30huts43cgs2e.com
lipmat.com
gegdon.net
foxinsurancedmv.com
jaydendownes.info
realtalkpenn.com
kfjinke.com
xctinctco.com
mrcarew.media
suggestionapi.com
lightblueproject.net
lijhenlian.com
37876delta.com
dieklimaretter.com
east-capital.com
temkosh.com
meikemeilin.com
vh-biotechnology.com
laugh-now.com
saudebazz.com
kangauz.com
wholisticnutritionlab.com
barcheusate.biz
wwwbetclic.com
caixuwood.com
282opebet.com
filmbagusbaru.info
balmybutter.com
redeemcardpoint.com
karyamotornias.com
vipslotss.com
9cjdr2.info
balintinc.com
gm610.com
sz-jgs.com
leejbarclayart.com
thesociellestudio.com
antiquekitten.com
luxuriouscarnival.com
qjbdy.com
international-connector.com
libertiesplumbers.com
682zy.com
kexuetanmi.net
madebymekits.com
luxuryexperienceinparadise.com
theconnex.com
taylorexpresslnc.com
becouf.com
Targets
-
-
Target
PURCHASE ORDER NO7654567.exe
-
Size
298KB
-
MD5
ab99d25b2996150cc085ab8eae483f2d
-
SHA1
84f5200e330d6d4be843564d3494056a90da8fad
-
SHA256
a46eb9ad512b0b9355c24ab2320a1cd25758bc5e90485a476596982d41f9fe56
-
SHA512
cb328d225b61ce7231579488d29f62e5cef2fb9944abe8b5915fd86a264b76f794cd7bf12e5536a218cfcfcd38fe76e7c7a3dbd1e6fe0300cf33979b84929a0b
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Adds policy Run key to start application
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-