Overview

overview

10

Static

static

nova narudžba.exe

windows7_x64

10

nova narudžba.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    nova narudžba.exe

  • Size

    613KB

  • Sample

    210421-2t8rz4my3e

  • MD5

    e3d04586f820d0b32ac72b9447890181

  • SHA1

    8e34dafea4406548b0af762e6ecbd42d156a1b58

  • SHA256

    f5b24f949895b74aa3b6bbb47e215f55f1846bf82bf462db83eff295e72fb5f7

  • SHA512

    aceccdf0246730f9775855f2359f54b11e33d9d1aa8c71053f1894feaf0d0d6491f04bd019ead6173cc2f3d05b34ed4b3f0a9bd536cce2a8260ce8d0df86f475

Score
10/10
formbookevasionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.quetech.info/ykl/

Decoy

856380056.xyz

collegesx.com

glenoindustrysupply.com

latingames.net

ykdxlfd.icu

donnapharris.com

thememoryofmiracles.com

youngbrotherhawaii.com

loolake.info

e-scrutiny.com

bebeautybehappy.com

ankhopxa.store

315520.com

octamira.com

dggy100.com

gkjpondokgede.com

yoursnips.com

analog-capture.com

wnetn.com

blmisajoke.com

Targets

    • Target

      nova narudžba.exe

    • Size

      613KB

    • MD5

      e3d04586f820d0b32ac72b9447890181

    • SHA1

      8e34dafea4406548b0af762e6ecbd42d156a1b58

    • SHA256

      f5b24f949895b74aa3b6bbb47e215f55f1846bf82bf462db83eff295e72fb5f7

    • SHA512

      aceccdf0246730f9775855f2359f54b11e33d9d1aa8c71053f1894feaf0d0d6491f04bd019ead6173cc2f3d05b34ed4b3f0a9bd536cce2a8260ce8d0df86f475

    Score
    10/10
    formbookevasionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Command-Line Interface

1
T1059

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks