General
-
Target
3b4194ae562a6c919c783536050e827de39ba0b00c6df58cf9e7083c19dddf53
-
Size
998KB
-
Sample
220521-bwe84aceg2
-
MD5
92d916b0bef62cc9ef9fa0c14b9436b1
-
SHA1
c4472e6162357ed64f152dbb130f782f5492a759
-
SHA256
3b4194ae562a6c919c783536050e827de39ba0b00c6df58cf9e7083c19dddf53
-
SHA512
5b1c62eb0a90148e6f848e29ee656d8f387629bcfdf0f662817149050314e7f4afdeb7b5597ad79c502b9e9b9f2ec5d0ca8ffc46f6b855a577702126d28d805e
Malware Config
Extracted
formbook
4.1
wus
generativecoaching.net
skillmosaic.com
practicalmaster.com
12aminmiami.com
instagramsupport.online
mainelse.net
qqysmr.com
wealthxd.com
videoadscreator.com
dltzscl.com
cotaforjulyans.com
forcend.com
shinjukufilm.com
bsq30.com
dragonsrose.net
loganbuys.com
wwwfitnessymusica.com
microbladingdublin.com
corporateiconic.com
sunshinegroupnyc.com
Targets
-
-
Target
New PI PL.exe
-
Size
945KB
-
MD5
332e036148c15d2453735b513bb8d693
-
SHA1
ffe088da337a5d87baeb1f3de49f83ff6a607c0a
-
SHA256
d4cca60154fcc667ada19dffbac16f84b51691a540daf850a766b91bd46544fe
-
SHA512
099a9ad6dd681e580e7ab0ab1798a51ccb9ce92a9ed001e7a8e49f0c57a714932cbc20c06670683fdb67be1ab88ba4b54e4f67568884deed1bc8921ecee4aed9
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-