General
-
Target
5c73962e4c23d4c940fd4558963cd1d7f3fd58a06c8849cb074c2b52906ebdbc
-
Size
316KB
-
Sample
220521-de3deaafen
-
MD5
0f55a4f4a744d06fc2aecb06def9a1af
-
SHA1
221df16d2e4179886300c9322bcc6386fb049c06
-
SHA256
5c73962e4c23d4c940fd4558963cd1d7f3fd58a06c8849cb074c2b52906ebdbc
-
SHA512
08c74d1e7b8b11cabf65719d311b0ce987efa055b327c3b870230013ab79ab999ecec03597fd40e033129ace80a48a4449e2408b42eee8796d5b74f157a68e77
Static task
static1
Behavioral task
behavioral1
Sample
Item list.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
cza
truenorthentic.com
napgames.net
xn--fjq771n.com
wagnerprintconsult.net
spate.info
kids4thekingdom.com
ateconstruction.com
sort-regulation.com
vesselfulinflation.com
kalhanifi.com
veronews.info
worldinwinston.com
adornbymk.com
resources4u.online
pepinaerospace.com
tamaraarmendariz.com
xn--hck5aza9o8c.online
nomadicgastronomy.net
margaritasandmotherhood.com
vip51633.com
princeuzochi.com
williink.com
hangoverheros.com
ecommercebuilding.com
k306w8vb.site
onebigbeautifulhotmess.com
garagegymbuilders.com
exatora.men
dkipartners.com
bodhi-serene.com
xnflshop.com
lesbienfaitsdubio.com
yimengcar.com
slindy.com
92edgerstouneroadprinceton.com
devopsclasses.online
thetechietronics.com
consortiasearch.com
thekalpatruyashodanandheri.com
vietamy.com
charlieandclaire.com
clubdelsonido.com
heybud-cannabis.com
dannihan.com
xgxtc.com
forwarundation.com
niamitmir.com
vmuhb.com
ddluav96.com
somextec.com
666lixin.com
cqd.ink
jhuwexncg.info
inlovetalk.com
melinaspina.online
klconstructors.net
ownskiatook.com
troybly.com
atnasignatureadministrators.com
plutoniumfund.com
carolearnest.com
valterallen.com
52jiujiu.top
908ka.com
nacemo.com
Targets
-
-
Target
Item list.exe
-
Size
395KB
-
MD5
ea84edffa7e1f6a0ad5b4d98a889f57b
-
SHA1
2557d3052c0175f3f2346d2e93162b1553ddfa46
-
SHA256
4a2e8f13ad2ce022158574edb3ab566db4544ec1dcda648845b16bc754f4e321
-
SHA512
03d03e696ccd62b0d94b88d13811ef311ae6fe119a25f3dbad1f54a34c2f51737a06e3159234f3e50d1149f432f6d5fced979ae563e5c6a918b36f49fcb80a9a
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-