Overview

overview

10

Static

static

PO PI.exe

windows7_x64

10

PO PI.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    58b9ef070518321fd67fea27324eeee25b99318bd5c40bd34b2e33ffb4037d56

  • Size

    514KB

  • Sample

    220521-ass54sdfhj

  • MD5

    283be86b2919fa598bb3a9dec9d01282

  • SHA1

    0ac204e6a57a52079bcd3a43bc387fb2154abacb

  • SHA256

    58b9ef070518321fd67fea27324eeee25b99318bd5c40bd34b2e33ffb4037d56

  • SHA512

    bcaef0d1e5563a614fca480c285c245e0a43630ddef0610939324b483540a146cadf0ac70586f8bdb1237f6a14b5ec0b2c624719e3ddfed147f78643f4eabdf4

Score
10/10
formbookwusevasionpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wus

Decoy

generativecoaching.net

skillmosaic.com

practicalmaster.com

12aminmiami.com

instagramsupport.online

mainelse.net

qqysmr.com

wealthxd.com

videoadscreator.com

dltzscl.com

cotaforjulyans.com

forcend.com

shinjukufilm.com

bsq30.com

dragonsrose.net

loganbuys.com

wwwfitnessymusica.com

microbladingdublin.com

corporateiconic.com

sunshinegroupnyc.com

Targets

    • Target

      PO PI.exe

    • Size

      460KB

    • MD5

      9a931b93992bd36af52ea345cef3af98

    • SHA1

      dbe897227e9df2b0dc809068df011722d0bbf7a2

    • SHA256

      8e9f882576a66be70ed5bc204584037087f3bd53d13498126153fb7514f7dd7a

    • SHA512

      46eecbeae1e8d591f0b8f7a76bc260538f92b1b4cbd3b69b0fecc6a85c9d839c79e0dc7e047620b52bdc406c2346abd4ca8ba35b47fdb32082f407d470bf8f43

    Score
    10/10
    formbookwusevasionpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks