formbook | e2cc8c23ff3dc0294b72571080f92677314d758c5248ef77a839e1b62818df42 | Triage

Sharing

General

Target

LOI.exe
Size

809KB
Sample

210112-xz6tzal4qx
MD5

f55d280858080efac6e84da67a284d75
SHA1

816c8aea265cc8084bb5d9a5ad954eb295178524
SHA256

e2cc8c23ff3dc0294b72571080f92677314d758c5248ef77a839e1b62818df42
SHA512

72b01d2003c2aeaa90793d42d23922c6a6bbca5bd8c2abec10c114c419fd0a30b314c2491f9219ee29e266c2b0707089dcba514e7acd0a5df01de0275fbeddb5

Score

10^/10

formbook evasion rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.fenhouses.com/nhk9/

Decoy

livinginroanokeva.com

entpiregaming.com

solutionsolvegh.com

glasgowcmr.com

gutesbenehmen.com

gracecitychurchmadison.com

linkalto.com

waahingtontimes.com

hxcked.com

buyung.xyz

asesormarketing.digital

bolodl.com

blushnbella.com

overhalldiesel.com

loveyorkshirecoast.com

puffpornandpizza.com

virgilisticlifestyleinc.com

clingnseal.com

artisantop.com

webinarsusa.com

Targets

- Target
  
  LOI.exe
- Size
  
  809KB
- MD5
  
  f55d280858080efac6e84da67a284d75
- SHA1
  
  816c8aea265cc8084bb5d9a5ad954eb295178524
- SHA256
  
  e2cc8c23ff3dc0294b72571080f92677314d758c5248ef77a839e1b62818df42
- SHA512
  
  72b01d2003c2aeaa90793d42d23922c6a6bbca5bd8c2abec10c114c419fd0a30b314c2491f9219ee29e266c2b0707089dcba514e7acd0a5df01de0275fbeddb5
Score

10^/10

formbook evasion rat spyware stealer trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- Formbook Payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Deletes itself
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

Persistence

Scheduled Task

Privilege Escalation

Scheduled Task

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

formbookevasionratspywarestealertrojan

behavioral2

formbookevasionratspywarestealertrojan