Overview

overview

10

Static

static

Swift Copy Pdf.exe

windows7_x64

10

Swift Copy Pdf.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dbb2e50bc17ff79ae31d01a04ebc0f516a04ac28b5ffdd556a3dfc0541de5e3c

  • Size

    271KB

  • Sample

    220521-bm7a8acbd4

  • MD5

    77dc078d1d6b77cf397a187581c494f5

  • SHA1

    7321549c671c8993f3981f68fa4da86954ae8eb5

  • SHA256

    dbb2e50bc17ff79ae31d01a04ebc0f516a04ac28b5ffdd556a3dfc0541de5e3c

  • SHA512

    0b429bb6f75a94e12ef5fcf5cb4034bc7e3fbb31fada04742f066833e56673667c51928aa9d24b0add8946f29bf2758d2a1e017df5da9d388c78228f9e758347

Score
10/10
formbookh0devasionpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

h0d

Decoy

goredfriday.com

ez-sleep.com

xydrgzx.com

paintersjacksonville.com

878212315.com

hotchatcams.com

cavalierwebsolutions.com

spirituellleben.com

emeraldjaya.com

dxyuq.info

rupturefarms.info

cajunnavygear.com

fsqdi.info

thegettinplacewhy.com

z0oav.com

conceptionfitness.com

kraftinvest.info

youngpeoplefutureofnews.com

cvmascotas.net

mundoconnection.com

Targets

    • Target

      Swift Copy Pdf.exe

    • Size

      324KB

    • MD5

      9a426dc20fda9d009e9420df7b25d4be

    • SHA1

      ee1b322966cc4c1c51a2d2cdf42146b9df551a0d

    • SHA256

      a50d19ddd0b87fdc2529cfb1676f14297125443103286553fbcdf4ffa989f8e7

    • SHA512

      21d19354008766a248a29ddeedfdf46320dd78fb478d480f941d47ea48028ca8843c816013d95ecec84c7fbe14bc1917fde1658b74cc54abaee93edfd065fd24

    Score
    10/10
    formbookh0devasionpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Adds policy Run key to start application

      persistence

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks