Overview

overview

10

Static

static

SWIFT COPY.exe

windows7_x64

10

SWIFT COPY.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ea02015ebbadefdbc7d4e33ab4982ef6db3cfe2ed42f19e8bef70358e219ec2f

  • Size

    376KB

  • Sample

    220521-bmgesscbb9

  • MD5

    119ede5d5ee880f593d56a1d1ed1c1db

  • SHA1

    be0b892fded59755957b6dcf70ac7c4f87dd7906

  • SHA256

    ea02015ebbadefdbc7d4e33ab4982ef6db3cfe2ed42f19e8bef70358e219ec2f

  • SHA512

    9c8b6e3a57fbdebf5d023a624bb996eb9cd3649c4f797b4b50e114618fa2eb1dc687ce23e6c123e55cb1b866e986ff830cc484d8e3a92b53fed95f4d6e3fba14

Score
10/10
formbookch62evasionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ch62

Decoy

priceground.com

protmaxvigilancia.com

allyboom.com

calimerkids.com

behproject.com

everxs.com

peertopeervaluetrading.com

asosdiscountscode.com

supersoloblitz.com

allindiaexpo.com

mountainpunks.com

lawberrys.com

myinsuranceclaimconsultants.com

autoberles.center

xn--circuitomioulla-7qb.com

beheartratemonitoringkey.live

bigcitypillows.com

tresriosresortoffers.com

ratmanrodentremoval.com

fujiaseed.com

Targets

    • Target

      SWIFT COPY.exe

    • Size

      581KB

    • MD5

      da742ece94ba3ede7902f700f0f09954

    • SHA1

      b9983af1eb41fee6a0bbefc06e0e263ebf1291ba

    • SHA256

      28ddf0fa7f44508ea2b7c6f2de45496e5a031aa84d095c0b8c14732173073fc7

    • SHA512

      95d4e5c639878043d89c8f26d4e876bb3d83728e757e61a9a9f96d0a13dc936dcd28072083552b78e382241793af63cfbbabdaf1367cddd21b3c1413bceabc3a

    Score
    10/10
    formbookch62evasionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks