Overview

overview

10

Static

static

BL PL.exe

windows7_x64

9

BL PL.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a06d2e1f81c746b5c7751e96ab655602b97a89aa58f089cbc4f3a9fe3690d3fe

  • Size

    620KB

  • Sample

    220521-abldyahhg7

  • MD5

    75183008da23617c64b2db5ec7d7b6b5

  • SHA1

    9ed3f169c13c4467e96cec0693784d1e961cb03e

  • SHA256

    a06d2e1f81c746b5c7751e96ab655602b97a89aa58f089cbc4f3a9fe3690d3fe

  • SHA512

    6ae8227999f5f9df43c66a40f4dfffa3ce3761d27003c7c57c4bd7518acfae7d1b1acc4a76c39c222f0a8601ed973e5ea16cfc43145fc426e220a06641697ccb

Score
10/10
formbookwusevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wus

Decoy

generativecoaching.net

skillmosaic.com

practicalmaster.com

12aminmiami.com

instagramsupport.online

mainelse.net

qqysmr.com

wealthxd.com

videoadscreator.com

dltzscl.com

cotaforjulyans.com

forcend.com

shinjukufilm.com

bsq30.com

dragonsrose.net

loganbuys.com

wwwfitnessymusica.com

microbladingdublin.com

corporateiconic.com

sunshinegroupnyc.com

Targets

    • Target

      BL PL.exe

    • Size

      567KB

    • MD5

      4cc9a0255352e0410c74eeeb1c64ba67

    • SHA1

      a3b5dd3aebf2e427cc7da89aff59575099f106fa

    • SHA256

      718524efef50f9e043f3db594db14aa1f5e3fba213539b5b219638d089937afe

    • SHA512

      6f1de62ec8b8c15352feb86a9f2f8839f29740da7ceae50c4ae3fe4951cdfd79131607fbb50aa0f5d64151513ed26d436a8f162ce17368b37f01e747d833ba94

    Score
    10/10
    evasionformbookwuspersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Adds policy Run key to start application

      persistence

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks