General

  • Target

    CMA-CGM_BOOKING CONFIRMATION.exe

  • Size

    136KB

  • Sample

    211014-sgrr1safgm

  • MD5

    8d8de7800608937b14d10bd67119606c

  • SHA1

    bc31409f73d7cae389fb0a7f6d43c4559cdf3b24

  • SHA256

    312a98e7e1ce67e997898b9fc725d99a2eb0ac2e9e6b1d316f9f5c99ed3a3223

  • SHA512

    92b5241333d0fe0cd303be979e226be5bd69b5656a733c5a867f5415923773561a584ff5ee15113b727299d11a94f474b624173a8c8b4807711644caa6a7d7d7

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nff

C2

http://www.yellow-wink.com/nff/

Decoy

shinseikai.site

creditmystartup.com

howtovvbucks.com

betterfromthebeginning.com

oubacm.com

stonalogov.com

gentrypartyof8.com

cuesticksandsupplies.com

joelsavestheday.com

llanobnb.com

ecclogic.com

miempaque.com

cai23668.com

miscdr.net

twzhhq.com

bloomandbrewcafe.com

angcomleisure.com

mafeeboutique.com

300coin.club

brooksranchhomes.com

Targets

    • Target

      CMA-CGM_BOOKING CONFIRMATION.exe

    • Size

      136KB

    • MD5

      8d8de7800608937b14d10bd67119606c

    • SHA1

      bc31409f73d7cae389fb0a7f6d43c4559cdf3b24

    • SHA256

      312a98e7e1ce67e997898b9fc725d99a2eb0ac2e9e6b1d316f9f5c99ed3a3223

    • SHA512

      92b5241333d0fe0cd303be979e226be5bd69b5656a733c5a867f5415923773561a584ff5ee15113b727299d11a94f474b624173a8c8b4807711644caa6a7d7d7

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Formbook Payload

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Tasks