Overview

overview

10

Static

static

1TOFpZKvqyRVuuy.exe

windows7_x64

10

1TOFpZKvqyRVuuy.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    df417213b446bedf049255ef08d9deca75544ec1f6931633b7d58c31ea167f13

  • Size

    265KB

  • Sample

    220521-ce7gpadge5

  • MD5

    4f8dc90155bd0528495ddef2c7453c54

  • SHA1

    52b710b3c7550729871b83223382ff601d44c016

  • SHA256

    df417213b446bedf049255ef08d9deca75544ec1f6931633b7d58c31ea167f13

  • SHA512

    dad4ae66e8cfdbecd667d5077875ad584e31a050f8fafbdb481b6552518632564070266e6650fde0d9355681ad6a242d2472f36353b46975c7625951f3a0ebc1

Score
10/10
formbookdujevasionpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

duj

Decoy

deapink.pink

tkmdz.com

nytzshicai.com

photos-identite-dijon.com

ekanun.net

xn--fiqy4bxl57l9sag6f6wb.ink

slivercat5.com

ai-ethics.net

510ns.com

inotherways.com

ridesharesettelment.com

zjxiangnong.com

aoraessentials.com

sheap-list.com

heshengqy.com

experts-comptables-paris-17.com

parissummerolympics2024.info

gtyx88.com

devopsonjob.com

vodacred.com

Targets

    • Target

      1TOFpZKvqyRVuuy.exe

    • Size

      302KB

    • MD5

      4a15e3620504681438565df947f5a702

    • SHA1

      750e4c022b615a9cc9ff4a8ebb3091e66244815f

    • SHA256

      b43bca6dcc03b6c289b15fd6dde4bde2dee13d024f08b0ca47efefc9d9aa3d8c

    • SHA512

      60d107c9a2d75c899919a69f55020ca60053ce164a8a796af78202fa1b56127c595d7b846da36c22da16390e1f0d51fdfca7902e8d7e25b3735115c16f4472e4

    Score
    10/10
    formbookdujevasionratspywarestealertrojanpersistencesuricata

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Adds policy Run key to start application

      persistence

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks