General

  • Target

    PO98765.exe

  • Size

    672KB

  • Sample

    201126-slrpxvnnks

  • MD5

    137ec800f9c49390f2f225ab22774443

  • SHA1

    2f3f1a1615b625cb1daf8d1e4a3eba208a89e30d

  • SHA256

    60263179eccb843c5aa38040ebd2483b29a3923a94987f006561488e5d0f1d96

  • SHA512

    41b84ea68ec7c2b9fd5205a1ce00fcbfbe03d82efb4ae7ca9030f643aae341ff32b23974a23db5f8c0fbb423b569e838c10da56f185cbf4e70f1c634e8b570ec

Malware Config

Extracted

Family

formbook

C2

http://www.firedoom.com/sbmh/

Decoy

edlasyarns.com

rettexo.com

friendlyksa.com

westhighlandwaytours.com

goudmarket.com

turkime.com

wellnysdirect.com

handydanny.net

ylccmakq.com

benefits-sherpa.com

sousolutions.net

lspcall.com

makgxoimisitzer.info

katrinarask.com

istanbulconsulter.net

mingjiaxuan.com

faculdadegraca.com

kikegbwebdesign.com

69ase.com

downrangedynamics.com

Targets

    • Target

      PO98765.exe

    • Size

      672KB

    • MD5

      137ec800f9c49390f2f225ab22774443

    • SHA1

      2f3f1a1615b625cb1daf8d1e4a3eba208a89e30d

    • SHA256

      60263179eccb843c5aa38040ebd2483b29a3923a94987f006561488e5d0f1d96

    • SHA512

      41b84ea68ec7c2b9fd5205a1ce00fcbfbe03d82efb4ae7ca9030f643aae341ff32b23974a23db5f8c0fbb423b569e838c10da56f185cbf4e70f1c634e8b570ec

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Tasks