General
-
Target
5114955491d5400511f2c6d6efdc4338d0f7ef7b85f4f3b1d66ffa78f796b81a
-
Size
274KB
-
Sample
220521-dh2laafgb7
-
MD5
c9ff3c2135d57620806738a498933592
-
SHA1
4394db5449fd92bfda74a60d482466ca3b16a482
-
SHA256
5114955491d5400511f2c6d6efdc4338d0f7ef7b85f4f3b1d66ffa78f796b81a
-
SHA512
eb1f16834d6337d798ce74a97486a39b9602b8fb216cc5e7d32e864128d838ed75fb502aa5519f000db2498fa863eb89f21e4f81913363d1e33b3ab785f4b35d
Static task
static1
Behavioral task
behavioral1
Sample
Demand.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
zc9
jncnsbc.net
joserodriguezmedinaehijos.seat
hirasyour-onestoptailor.net
ratch328.com
monroauto.com
tropicservicesoffer.com
dubaiangels-mail.net
brookerenee.com
service-support.business
softvikram.com
shuyabaojie.com
peiqilai.com
depart.ltd
srtextilesonline.com
li-h.net
lawssales.com
middlestream2014.com
tribemarketer.com
leaawards.com
fztzlc.com
shtiebelostrovaoutreach.com
ace-peru.site
takskforce-laborday.com
cluah.com
childrensbudget.com
hakkalighting.com
midyandslr.com
szfyjs.com
kmartsucks.com
wolseleyoneatlantic.com
959451.com
despdftelechargerment.info
haitaijuan.com
magubrand.com
butlercraneservice.com
thefishinghouse.com
212ab.com
shenpaitang.com
gotoinfo.store
stylewithmillie.com
viewbozemanhouses.com
westkirbyrotarylive.com
nextlevelstaging.com
greenlandlandscapepune.com
iphone-xedition.com
imperialeaglegroup.com
tennesseeexcavatinginc.com
makassarwarehouse.com
eshoptrip.com
italiaphile.com
jogami.net
tgsimilan.com
notthekragle.online
zobalesooz.com
labourdaymonday.com
zspcw.com
qdhengrunyuan.com
sokakgezgin.com
theinnerartistpodcast.com
egyhockey.com
markreviewsnewcastle.com
dahbaroscarpropiedades.com
hypertext.info
mydetailingauto.com
mafov.com
Targets
-
-
Target
Demand.exe
-
Size
311KB
-
MD5
494a613b4431fab36d742a03b9346f38
-
SHA1
401ab4d705dfd2fa401ceda974cea623d4d773bb
-
SHA256
75952934e5ef6bb74f29c3320ef112e219cc953dc5ed8c351d742448f61161ff
-
SHA512
b939cedd41ec3f60e0054ea75eaede0875988bb4ff9da1cf2a4241f23833d4b8cc9fa3aad465332778bfe1dbcb1932f14249cbadec8ba4b232092be59af23ece
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Adds policy Run key to start application
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-