Overview

overview

10

Static

static

e87b10b098...3d.exe

windows7_x64

10

e87b10b098...3d.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e87b10b098df8ff5906cb1154c78e83d.exe

  • Size

    596KB

  • Sample

    211027-pp2qeaegb3

  • MD5

    e87b10b098df8ff5906cb1154c78e83d

  • SHA1

    26417afefaabd707dae65d9fdd84178f4fb5e112

  • SHA256

    4e25735dc713c78458f181caa0f09a6ea2ca79a708a3b22f52d1c936806de251

  • SHA512

    87a959392f490e84346daffbbb3807a168b9c1ff4a4bdbf4b7e2e9db813377e1c9eb1a4be3b4cb7bd8eb011553d3367e818068d8af18c2e219543af7ca489e88

Score
10/10
formbookhs3hevasionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hs3h

C2

http://www.alefisrael.com/hs3h/

Decoy

slairt.com

teresasellsflorida.com

resouthcarolina.com

npccfbf.com

hutshed.com

westatesmarking.com

rustmonkeys.com

kagawa-rentacar.com

easyvoip-system.com

admorinsulation.com

ericaleighjensen.com

zhonghaojiaju.net

apple-iphone.xyz

b0t.info

torgetmc.xyz

lawrencemargarse.com

6123655.com

macdonalds-delivery.com

cvpfl.com

ayudaparaturent.com

Targets

    • Target

      e87b10b098df8ff5906cb1154c78e83d.exe

    • Size

      596KB

    • MD5

      e87b10b098df8ff5906cb1154c78e83d

    • SHA1

      26417afefaabd707dae65d9fdd84178f4fb5e112

    • SHA256

      4e25735dc713c78458f181caa0f09a6ea2ca79a708a3b22f52d1c936806de251

    • SHA512

      87a959392f490e84346daffbbb3807a168b9c1ff4a4bdbf4b7e2e9db813377e1c9eb1a4be3b4cb7bd8eb011553d3367e818068d8af18c2e219543af7ca489e88

    Score
    10/10
    formbookhs3hevasionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks