Overview

overview

10

Static

static

7f44706f1c...0e.exe

windows7_x64

10

7f44706f1c...0e.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7f44706f1c5ed5d723262bfa03b5500e.exe

  • Size

    724KB

  • Sample

    211014-ndcfpsghbr

  • MD5

    7f44706f1c5ed5d723262bfa03b5500e

  • SHA1

    2c8b87e78b625e5436a559e92ffffaf4d7d5f3f9

  • SHA256

    7903434967ec18733812c4bdd4acdff871bfff5ce40528442272cf230822dd10

  • SHA512

    ec067ee7a95adbb872fe5f38ada816db747e910401a3fba609c30f394a01262fb34e70e9f8af4be5fb7e6e728bcef327d968f24d2653baca6a067c5101e4d5d8

Score
10/10
formbookhs3hevasionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hs3h

C2

http://www.alefisrael.com/hs3h/

Decoy

slairt.com

teresasellsflorida.com

resouthcarolina.com

npccfbf.com

hutshed.com

westatesmarking.com

rustmonkeys.com

kagawa-rentacar.com

easyvoip-system.com

admorinsulation.com

ericaleighjensen.com

zhonghaojiaju.net

apple-iphone.xyz

b0t.info

torgetmc.xyz

lawrencemargarse.com

6123655.com

macdonalds-delivery.com

cvpfl.com

ayudaparaturent.com

Targets

    • Target

      7f44706f1c5ed5d723262bfa03b5500e.exe

    • Size

      724KB

    • MD5

      7f44706f1c5ed5d723262bfa03b5500e

    • SHA1

      2c8b87e78b625e5436a559e92ffffaf4d7d5f3f9

    • SHA256

      7903434967ec18733812c4bdd4acdff871bfff5ce40528442272cf230822dd10

    • SHA512

      ec067ee7a95adbb872fe5f38ada816db747e910401a3fba609c30f394a01262fb34e70e9f8af4be5fb7e6e728bcef327d968f24d2653baca6a067c5101e4d5d8

    Score
    10/10
    formbookhs3hevasionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks