Overview

overview

10

Static

static

po456789__img.exe

windows7_x64

10

po456789__img.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f3b163231a156797f336842bd4e6fce358ce875b7a06430c92d777eb84186f46

  • Size

    349KB

  • Sample

    220521-b98gssdea9

  • MD5

    9d546a8d0f24206a897ff8e4b8af21f5

  • SHA1

    6bb02c8e6887f29d20f843baa0e643574d724ac5

  • SHA256

    f3b163231a156797f336842bd4e6fce358ce875b7a06430c92d777eb84186f46

  • SHA512

    de1ac6bcd134429ed3120d27741cf77cc07a0ad4e3773dcf48d14379b8368feff9b42ec1df1d15fd2948c5a7e2f95788ed6a18249992b8ee5d7e43790c3f4a22

Score
10/10
formbookdujevasionpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

duj

Decoy

deapink.pink

tkmdz.com

nytzshicai.com

photos-identite-dijon.com

ekanun.net

xn--fiqy4bxl57l9sag6f6wb.ink

slivercat5.com

ai-ethics.net

510ns.com

inotherways.com

ridesharesettelment.com

zjxiangnong.com

aoraessentials.com

sheap-list.com

heshengqy.com

experts-comptables-paris-17.com

parissummerolympics2024.info

gtyx88.com

devopsonjob.com

vodacred.com

Targets

    • Target

      po456789__img.exe

    • Size

      403KB

    • MD5

      8205a489fc508497b86443d6253e294b

    • SHA1

      45e9e0b6dc9fce4583753e3cded6552844de0695

    • SHA256

      6f4b543bdd425e2cb35fcc06f79dfac486985ae0d84133c34e0fd01b3a2c22bb

    • SHA512

      b5099a16e8ad338574e6b5f5b57c0b160ff12fa75efbafe8e06dfa3de23611c54edddd9ef9e2fe30a424df733a93eafee452bdf7f5b344bb9629dff15353cd08

    Score
    10/10
    formbookdujevasionpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Adds policy Run key to start application

      persistence

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks