Overview

overview

10

Static

static

BK8476699_BOOKING.exe

windows7_x64

10

BK8476699_BOOKING.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    BK8476699_BOOKING.exe

  • Size

    465KB

  • Sample

    210909-fqt8aaagcr

  • MD5

    0184924485a5bb35957ca5102af07b50

  • SHA1

    e52aad204a9e5b6914885fc7325a44a1e088ca28

  • SHA256

    024490bf99d2b77dc7943a5932bba385948feb7416fc434992593e72bad4782a

  • SHA512

    bb7be885c9a3a71935ee5c916d89e223fed4362794132848fb0248ce1ba70801c81bdbfe5de35d6ce394e503f5ab276d9624c1325cfec822d02453882458682d

Score
10/10
formbookguloadernffdownloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nff

C2

http://www.yellow-wink.com/nff/

Decoy

shinseikai.site

creditmystartup.com

howtovvbucks.com

betterfromthebeginning.com

oubacm.com

stonalogov.com

gentrypartyof8.com

cuesticksandsupplies.com

joelsavestheday.com

llanobnb.com

ecclogic.com

miempaque.com

cai23668.com

miscdr.net

twzhhq.com

bloomandbrewcafe.com

angcomleisure.com

mafeeboutique.com

300coin.club

brooksranchhomes.com

Targets

    • Target

      BK8476699_BOOKING.exe

    • Size

      465KB

    • MD5

      0184924485a5bb35957ca5102af07b50

    • SHA1

      e52aad204a9e5b6914885fc7325a44a1e088ca28

    • SHA256

      024490bf99d2b77dc7943a5932bba385948feb7416fc434992593e72bad4782a

    • SHA512

      bb7be885c9a3a71935ee5c916d89e223fed4362794132848fb0248ce1ba70801c81bdbfe5de35d6ce394e503f5ab276d9624c1325cfec822d02453882458682d

    Score
    10/10
    formbookguloadernffdownloaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Formbook Payload

      rat

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks