General
-
Target
6c2cbc8b3f0efbabb281cb15fa0d08b2b805dddfa8028b285e795c6b6ecdda02
-
Size
307KB
-
Sample
220521-da7sbsadgk
-
MD5
fb7b6207d6b7643f9279a7fc2e6ba6a9
-
SHA1
9f83248171dc6312da7fb9afb11b488d49518a2c
-
SHA256
6c2cbc8b3f0efbabb281cb15fa0d08b2b805dddfa8028b285e795c6b6ecdda02
-
SHA512
120acaa3f98e100c09d92804212f1291a2c66bd5dcbd3e5dc9c4a615ca751994ff21c7f860edc5c060e4dd40d3e2d4f5faf3943d0f41ff7344f684d7f0ccd055
Static task
static1
Behavioral task
behavioral1
Sample
PO102.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
hnh
stackingplans.info
landscapingcanberra.com
apxlegal.com
gzajs.com
senladvocaten.com
stephanieabella.com
indivmgtsvc.com
wildlife-botanicals.com
fingrfull.com
ustar-electric.com
timesharebefree.com
safefirstresponder.com
giliticketoperator.com
silverstarscents.com
4752condordrive.info
joomak.net
new-auto-news.com
ottodesign.store
kxg01.com
chrisoncreation.com
robielutsey.com
dhayaltechsystems.com
giftbizz.com
outpost-security.com
wwwjinsha937.com
pro-piedades.com
buffalocoresupply.com
netw.site
gooddayrental.com
qingyujian.com
atiasyariv.com
immaver.com
intervention4change.com
landlockedtraveler.com
onionfaucet.win
fairygroundsocks.com
adrianscharfetter.com
prolumen.biz
ibkmalakhit.net
rivertownehomeforsale.com
productsarehard.com
recoreltd.com
111972.info
wahzik.com
lackyshopping.com
xn--u8jxbl0m2g4a1h6q.com
ousxqh.men
bobingxiaochengxu.com
fullkiwi.com
dearwaltdisney.com
njduqiang.com
firesideeditions.com
cuagonhuaviettin.com
imaginethatideas.com
tian.agency
astrosolarfast.com
chosentechshopandreview.com
avatar99.com
lakazanono.com
news-chinatimes.com
www245234.com
hojespecial.com
x13q876dvq.com
tmtcaa.info
patlod.com
Targets
-
-
Target
PO102.exe
-
Size
368KB
-
MD5
544f97d08c44accf6feb140704686ad9
-
SHA1
198054b26aa1895ae9e6533a449d52dadbbcd0b5
-
SHA256
548f6937985adb04cce6bda4127f3d2af247feada21eda348d1d6a0e8dd7d2c7
-
SHA512
1acc9b9bae1f369d0e717bbd22e2861455b91e942398833004cdf4d8022230a144ea81126a094bb76f509b1281cacffa7e069b2f5c99e6b19621887b904164bc
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Adds policy Run key to start application
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-