General
-
Target
948e0acfa084f97be864d2d03bc72d1996ab17f1ef7aec5f9f64eef1f498adae
-
Size
591KB
-
Sample
220521-nest3sgfhp
-
MD5
01463bce11a2fb41cc48f62f01ca04ad
-
SHA1
d298e90f1eb91bafeb4e6948b844f77a7aad5a0f
-
SHA256
948e0acfa084f97be864d2d03bc72d1996ab17f1ef7aec5f9f64eef1f498adae
-
SHA512
160714c33f76a998d41aaf25fe82b1bdd673a22f64dc1a254768dd29f4e254ef369c2276e6d06f4c0f7a583a626357c5a5ffb7ba240ec230befd40be9b1f8283
Static task
static1
Behavioral task
behavioral1
Sample
Quotation - 8 x E8.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
4.1
hnh
stackingplans.info
landscapingcanberra.com
apxlegal.com
gzajs.com
senladvocaten.com
stephanieabella.com
indivmgtsvc.com
wildlife-botanicals.com
fingrfull.com
ustar-electric.com
timesharebefree.com
safefirstresponder.com
giliticketoperator.com
silverstarscents.com
4752condordrive.info
joomak.net
new-auto-news.com
ottodesign.store
kxg01.com
chrisoncreation.com
robielutsey.com
dhayaltechsystems.com
giftbizz.com
outpost-security.com
wwwjinsha937.com
pro-piedades.com
buffalocoresupply.com
netw.site
gooddayrental.com
qingyujian.com
atiasyariv.com
immaver.com
intervention4change.com
landlockedtraveler.com
onionfaucet.win
fairygroundsocks.com
adrianscharfetter.com
prolumen.biz
ibkmalakhit.net
rivertownehomeforsale.com
productsarehard.com
recoreltd.com
111972.info
wahzik.com
lackyshopping.com
xn--u8jxbl0m2g4a1h6q.com
ousxqh.men
bobingxiaochengxu.com
fullkiwi.com
dearwaltdisney.com
njduqiang.com
firesideeditions.com
cuagonhuaviettin.com
imaginethatideas.com
tian.agency
astrosolarfast.com
chosentechshopandreview.com
avatar99.com
lakazanono.com
news-chinatimes.com
www245234.com
hojespecial.com
x13q876dvq.com
tmtcaa.info
patlod.com
Targets
-
-
Target
Quotation - 8 x E8.exe
-
Size
731KB
-
MD5
659e8ae340e34797dff706eb709cff1c
-
SHA1
ec7e57582857f4801bbebe9ca9d96b156906be78
-
SHA256
b1d72f54b46528f1dd2265231ea91a8dcc2a4461dc897e1f7bd8d5e915f189f2
-
SHA512
ca3ded1c8a3237c6104f41a330f9db1ed0970ae032ce17758eeac6571e660d1196af32b71e7003e0151f692ac25db2b84f3f9751b7c397712bdb4defbafa984e
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-