Overview

overview

10

Static

static

contract s...st.exe

windows7_x64

10

contract s...st.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3f84431741cecf17b3a9529c376d23e474c31e8de26bab5da4d688be6c7332cb

  • Size

    281KB

  • Sample

    220521-bv78gsffal

  • MD5

    1f9942930c851bfb2d6de6af17bdbd41

  • SHA1

    8627146e5f2eb26e3eddbff6c4a120a1b23c577a

  • SHA256

    3f84431741cecf17b3a9529c376d23e474c31e8de26bab5da4d688be6c7332cb

  • SHA512

    9ba9e0caa112382ab68f4779b55d200e47e08d1e9b2ddd793f4b5380660549bfd6f27ae1e2eeebb059153cbc771e11e29fba93a79db429267537541411a9c3d3

Score
10/10
formbookc38revasionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c38r

Decoy

angleprotool.com

drilldownaccountancy.com

puur-bb.info

laptoprepairbrighton.net

mainstale.com

soketones.com

cohi.ltd

washntivow.com

datajagabon.online

solidlike.com

tapaznoncc.com

deadoralive.site

sharkapexdwal.com

tribun-news.com

67chain.com

paramorphous.net

chicagoxqa.com

301zaq.info

mansfieldpowdercoating.net

stopdizzy.com

Targets

    • Target

      contract supply list.exe

    • Size

      311KB

    • MD5

      1c8f2480d5bfe4d9bbe8bc432ccc5c97

    • SHA1

      5ff74ec7bd4d10582ce2c949ade827b1ccb23d21

    • SHA256

      24f64f0f4a0f7b860db4e664e4f4c76a08f20d3490966de4637958bbecc618ac

    • SHA512

      158ec88cc3d9ee15c2a96402e58547bd58896be18cc9502c8e204a21e85e3657cd4d07be03fba888911ff4d26e40b882afbc97ab6d04f8f1a67260205126acfe

    Score
    10/10
    formbookc38revasionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks