General
-
Target
998054c2fd09143ef422cfb952491ecb0e456c61ae22bbc8ad17eaf3ef2871f5
-
Size
252KB
-
Sample
220521-nttd6ahcap
-
MD5
366a64a3956b641c5601ce3b2eb7d7d2
-
SHA1
8ee2b69b5db8a63f14447b43c65bda7c6b18537c
-
SHA256
998054c2fd09143ef422cfb952491ecb0e456c61ae22bbc8ad17eaf3ef2871f5
-
SHA512
1522af9c07d83e7c8a106d627c8cfe0c7264505370f5b73cfc28c5be4efbd6b7e1189985bf08082c11ac7e0335583402ab346f67a92d541cfc939103d54c48eb
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT INSTRUCTION.exe
Resource
win7-20220414-en
Malware Config
Extracted
formbook
3.9
23v
1l4m-5qeh0cgx9a.com
portsel.com
vypnxg.men
renrenbaoshangcheng.com
hulebang.com
heatburnio.com
amazingthunderworks.com
quantumreapers.com
8801i.info
moonlightmanager.com
bqypm.info
backlinkbarato.com
jiudianhuixun.com
markerbio.net
empety.com
eternalkollection.com
teknoshift.com
petitenobel.net
zlmqv.info
emotionalcontrols.com
mitesserentferner.com
kqhqmgxzhklkoo.win
shanghaihuayu.com
gauqc.info
beheartratemonitoringwow.live
sarfarazusmani.com
hamptonandjones.com
mywealth.coach
universidade-online.com
vannuysland.com
studio815.salon
cryptofinance.services
rawholisticnutrition.com
myplusha.com
ritireewaj.com
experimenty-it.info
supremeondemand.com
profeschaneldesign.com
mrdude.tech
devereaux.us
concussionawareness.net
bookboardz.com
beyondcurosity.com
keeperofthebeesnwnj.com
schoolofintrovertship.com
miscowil.date
ysz688.com
eec-lean.com
hennryusa.com
cosmemia.com
faxist.com
odjmusica.com
hgx-bmc.com
mangaromance.com
badnoordzee.com
garden-scope.com
sippingnpaintingcolorado.net
fineveherforb-12.com
storeketo.com
crappie-fishing.com
uwumwx.info
wyalusingbeverage.com
jindiandj.com
minimalistvetonabudget.com
godhep.com
Targets
-
-
Target
PAYMENT INSTRUCTION.exe
-
Size
335KB
-
MD5
68e94fa2a66e2ffcf9d4d45bd927b019
-
SHA1
b5d64de2710a3798c621b7974b482f3e584b9da5
-
SHA256
48bef4e5d2768c5ccbbc84d922a276484ce75ed236a72441b5148d7a541a52e3
-
SHA512
a812d740cf39f170e7a4e2706d79424c52eabbab402dbf901a0d56a8e3c5a6165045745f1209372adafbe9d61d19579d1a84401cd8bc3e75a2712354cd4bc948
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Adds policy Run key to start application
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-