Overview

overview

10

Static

static

ARRIVAL NO...IT.exe

windows7_x64

10

ARRIVAL NO...IT.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ARRIVAL NOTICE AND IMPORT PERMIT.lzh

  • Size

    55KB

  • Sample

    211015-vvhglsbheq

  • MD5

    0a7506eb8f7a9876b2a4ff1ae5465e57

  • SHA1

    64217c729ba6de92d2474c2dbfcb131cb49ec998

  • SHA256

    24bcc08ffd3830682dbd3a11790e5daa04c1da567ab2cc3302ae5305fa2e47ca

  • SHA512

    52f474ef29356a92f8971aed4a43cce3f42e2962d3a59c9b5d3447db26f88ae8857e33f4e4cf0e956ffe5f45def08afe30efe1d84b29efab04c8bb43650454f2

Score
10/10
formbookguloaders0vcdownloaderratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s0vc

C2

http://www.xn--289an7fmsbe2rud327e.com/s0vc/

Decoy

redstonemanagers.com

graffitiparktx.com

aliturk.com

asicsmalaysiasale.com

primetimehandyman.com

logjed068.xyz

rusicedream.com

rickcaronmuseum.com

softwarebuynow.com

buddysbarkery.com

ysm99.com

rtetrgwgre.xyz

97020.xyz

utahblind.site

hiyym.com

rohukager.xyz

vcstudentwork.com

oxfordautomotivepa.com

salibrown.com

tekosocks.com

Targets

    • Target

      ARRIVAL NOTICE AND IMPORT PERMIT.exe

    • Size

      136KB

    • MD5

      14286f5d33d5d0db8c2cf853588105de

    • SHA1

      0054237732dfb296e5b5429886a057e4374c1515

    • SHA256

      0bf8feda9e131c4b5bc7b17218880c3a492f702fa9fd6dc9d10f5a62a72aa08a

    • SHA512

      f8169fc9ed525a268dca75f6e1e836fae00dabe3876aaf4766d21cf8d883fa91f0e4a6c8c9fcee3daec6ac6db0100614e7bbf0720b9015cd98015043dafe627d

    Score
    10/10
    formbookguloaders0vcdownloaderratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks