44696d252000850d3ea71d9ae238aedc

General
Target

44696d252000850d3ea71d9ae238aedc

Size

1MB

Sample

210915-hlzcjsaab5

Score
10 /10
MD5

44696d252000850d3ea71d9ae238aedc

SHA1

1fb61a1df500f9025641526cb4013d555b129a84

SHA256

1b39d6bf218028dfe7bc8254a3b1682804e9bf05b8298c708c318236f64ad986

SHA512

e1115a0a70b6d532633c1c60733a2aebbdc9e14863deaec7f6e15604c20f9f3ce3d36132ec2b814a4c774b25a6c4c8ccad4003724b98abead2be3f752b9d6314

Malware Config

Extracted

Family formbook
Version 4.1
Campaign vtkz
C2

http://www.luxuriousshoestop.com/vtkz/

Decoy

todaynewsbuzz.com

bootwish.com

michelleortegawrites.com

tutorialme.com

daretoplaygames.com

telefonepantalla.com

advisorsoncall.life

marketingloisirs.com

cremationmtzionil.com

lgbtsuccess.com

cassandrawind.com

globaltradepay.com

thecafeart.com

starmobilehome.com

ugotshot.com

c03eeniom.store

afcerd.com

eleyhexs.com

utmmarhitzfil.com

saudiisrael.com

avanzanegocio.com

round-n.com

marketingdestatus.com

hibiskushomos.site

ignitemyboiler.com

lyofio.com

appltimized.com

mhughescreative.com

bournesolutionsgroup.com

byhollyb.com

space-holder.com

hchgroupconstruction.com

datamaticsbsl.com

vrsgw.com

erectwaves.com

playlinedomino.xyz

home-secure24.com

hausofdeme.com

jessejamesammo.com

theadventuringsmiths.com

expertsenegal.com

curemelaser.com

phatsarasinghapanich.com

mysacredone.com

out-n-play.com

us-m-patpat.com

nihilichor.com

revistadominga.com

q6talkspod.com

hoteltubsurroundinstallers.com

Targets
Target

44696d252000850d3ea71d9ae238aedc

MD5

44696d252000850d3ea71d9ae238aedc

Filesize

1MB

Score
10 /10
SHA1

1fb61a1df500f9025641526cb4013d555b129a84

SHA256

1b39d6bf218028dfe7bc8254a3b1682804e9bf05b8298c708c318236f64ad986

SHA512

e1115a0a70b6d532633c1c60733a2aebbdc9e14863deaec7f6e15604c20f9f3ce3d36132ec2b814a4c774b25a6c4c8ccad4003724b98abead2be3f752b9d6314

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Modifies Windows Defender Real-time Protection settings

    Tags

    TTPs

    Modify Registry Modify Existing Service Disabling Security Tools
  • Turns off Windows Defender SpyNet reporting

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • UAC bypass

    Tags

    TTPs

    Bypass User Account Control Disabling Security Tools Modify Registry
  • Windows security bypass

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • Formbook Payload

    Tags

  • Looks for VirtualBox Guest Additions in registry

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Nirsoft

  • Executes dropped EXE

  • Looks for VMWare Tools registry key

    Tags

    TTPs

    Query Registry Virtualization/Sandbox Evasion
  • Checks BIOS information in registry

    Description

    BIOS information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry System Information Discovery
  • Drops startup file

  • Loads dropped DLL

  • Windows security modification

    Tags

    TTPs

    Disabling Security Tools Modify Registry
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query Registry Peripheral Device Discovery System Information Discovery
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation