formbook | 04e7f27915298f09a1486331df3f0e5121e4a7856f41290f48200255b8b82df8 | Triage

Sharing

General

Target

4cb2041db0a8696f1853543f5c03b89a.exe
Size

850KB
Sample

210112-nhy7qn7fle
MD5

4cb2041db0a8696f1853543f5c03b89a
SHA1

aaa3e737d72504340eeb6111d7d51c8a7e37efe2
SHA256

04e7f27915298f09a1486331df3f0e5121e4a7856f41290f48200255b8b82df8
SHA512

2d4a07afc9dbb6c1f81c5e6f16c51763f2fd42bba2e77c0310b17ee949aad3e88562e5d13f77c13449585ddd2918512e80b8735e9fbf7155826ee39d566d938a

Score

10^/10

formbook evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.thesiromiel.com/kgw/

Decoy

valentinakasu.com

soyelmatador.com

collaborativeprosperity.com

power8brokers.com

nexus-ink.com

manpasandmeatmarket.com

the-ethical-forums.today

maryannpark.com

bikininbodymommy.com

pxwuo.com

bigbangmerch.com

okaysinger.com

shopcarpe.com

rainbowhillsswimclub.com

crifinmarket.com

ebl-play.net

forceandsonsequipment.com

viagraytqwi.com

latashashop.com

suffocatinglymundanepodcast.com

Targets

- Target
  
  4cb2041db0a8696f1853543f5c03b89a.exe
- Size
  
  850KB
- MD5
  
  4cb2041db0a8696f1853543f5c03b89a
- SHA1
  
  aaa3e737d72504340eeb6111d7d51c8a7e37efe2
- SHA256
  
  04e7f27915298f09a1486331df3f0e5121e4a7856f41290f48200255b8b82df8
- SHA512
  
  2d4a07afc9dbb6c1f81c5e6f16c51763f2fd42bba2e77c0310b17ee949aad3e88562e5d13f77c13449585ddd2918512e80b8735e9fbf7155826ee39d566d938a
Score

10^/10

formbook evasion rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook Payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookevasionratspywarestealertrojan

behavioral2

formbookevasionratspywarestealertrojan