Malware sandboxing report by Hatching Triage

General

Target

b342d170c6371e2d496b49b114e9c5834038d7292e63026f864e514378fb72b4
Size

284KB
Sample

220521-cq4j6seda2
MD5

3f7e05fa66b984077831615e3979b7f9
SHA1

4128dd01c0c99e54cd03f74b64c632aeffecc68f
SHA256

b342d170c6371e2d496b49b114e9c5834038d7292e63026f864e514378fb72b4
SHA512

294b8300fae5c1b654c270daa8d4339000f4b4dd201902334650e303f52e849e633d363cb1d2bae8371658862d1f72086e97311565ae8c46e3090de391557d83

Score

10^/10

Malware Config

Extracted

Family	formbook
Version	4.1
Campaign	app
Decoy	niresandcard.com bonusscommesseonline.com mezhyhirya.com paklfz.com bespokewomensuits.com smarteralarm.info munespansiyon.com pmtradehouse.com hotmobile-uk.com ntdao.com zohariaz.com www145123.com oceanstateofstyle.com palermofelicissima.info yourkinas.com pthwheel.net vfmagent.com xn--3v0bw66b.com comsystematrisk.win on9.party isnxwa.info my-smarfreen3.com eareddoor.com kfo-sonnenberg.com conceptweaversindia.online ledgermapping.com fashionartandmore.com broemail.com bs3399.com minds4rent.com 182man.com dionclarke.com naakwaley.com huoerguosicaiwu.net langongzi.net haz-rnatresponse.com confidentcharm.com yshtjs.com phiscalp.com walletcasebuy.com history.fail al208.com kitkatwaitressing.com fxmetrix.com riyacan.com garrettfitz.com worldaspect.win serviciodomicilio.com yngny.com acaes.info jujiangxizang.com mysteryvacay.com extensiverevive.com feelgoodpainting.com dtechconsultants.com manufacturehealth.com khmernature.com archaicways.com westlakegranturismo.com transporteselruso.com cultclassics.net anne-nelson.com warminch.com bihusomu40.win norjax.com niresandcard.com bonusscommesseonline.com mezhyhirya.com paklfz.com bespokewomensuits.com smarteralarm.info munespansiyon.com pmtradehouse.com hotmobile-uk.com ntdao.com zohariaz.com www145123.com oceanstateofstyle.com palermofelicissima.info yourkinas.com pthwheel.net vfmagent.com xn--3v0bw66b.com comsystematrisk.win on9.party isnxwa.info my-smarfreen3.com eareddoor.com kfo-sonnenberg.com conceptweaversindia.online ledgermapping.com fashionartandmore.com broemail.com bs3399.com minds4rent.com 182man.com dionclarke.com naakwaley.com huoerguosicaiwu.net langongzi.net haz-rnatresponse.com confidentcharm.com yshtjs.com phiscalp.com walletcasebuy.com history.fail al208.com kitkatwaitressing.com fxmetrix.com riyacan.com garrettfitz.com worldaspect.win serviciodomicilio.com yngny.com acaes.info jujiangxizang.com mysteryvacay.com extensiverevive.com feelgoodpainting.com dtechconsultants.com manufacturehealth.com khmernature.com archaicways.com westlakegranturismo.com transporteselruso.com cultclassics.net anne-nelson.com warminch.com bihusomu40.win norjax.com

Targets

- Target
  
  TT copy 2094782.exe
- Size
  
  358KB
- MD5
  
  9d4da0e623bb9bb818be455b4c5e97d8
- SHA1
  
  9bc2079b5dd2355f4d98a2fe9879b5db3f2575b0
- SHA256
  
  091ff5f5bab1cbb2d27a32fedaff1f64dd4004e4a68665e8d606e28585d928a8
- SHA512
  
  6e6fab5f4a045349717762ff782527e778b40c5f41ce32428c63aea0dd6e8b73bfdaf3ac55474275f716e9f84632906196edafc4337d816055a69b2ea0904e37
Score

10^/10

formbook app evasion persistence rat spyware stealer suricata trojan
- Formbook
  Formbook is a data stealing malware which is capable of stealing data.
  trojan spyware stealer formbook
- suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata: ET MALWARE FormBook CnC Checkin (GET)
  suricata
- suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata: ET MALWARE FormBook CnC Checkin (POST) M2
  suricata
- Formbook Payload
  rat
- Looks for VirtualBox Guest Additions in registry
  evasion
- Adds policy Run key to start application
  persistence
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Collection

Data from Local System

Command and Control

Credential Access

Credentials in Files

Defense Evasion

Discovery

Execution

Command-Line Interface

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

Tasks

Sharing

General

Malware Config

Extracted

Targets

Formbook

suricata: ET MALWARE FormBook CnC Checkin (GET)

suricata: ET MALWARE FormBook CnC Checkin (POST) M2

Formbook Payload

Looks for VirtualBox Guest Additions in registry

Adds policy Run key to start application

Looks for VMWare Tools registry key

Checks BIOS information in registry

Checks computer location settings

Deletes itself

Reads user/profile data of web browsers

Adds Run key to start application

Maps connected drives based on registry

Suspicious use of SetThreadContext

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2