General

  • Target

    b342d170c6371e2d496b49b114e9c5834038d7292e63026f864e514378fb72b4

  • Size

    284KB

  • Sample

    220521-cq4j6seda2

  • MD5

    3f7e05fa66b984077831615e3979b7f9

  • SHA1

    4128dd01c0c99e54cd03f74b64c632aeffecc68f

  • SHA256

    b342d170c6371e2d496b49b114e9c5834038d7292e63026f864e514378fb72b4

  • SHA512

    294b8300fae5c1b654c270daa8d4339000f4b4dd201902334650e303f52e849e633d363cb1d2bae8371658862d1f72086e97311565ae8c46e3090de391557d83

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

app

Decoy

niresandcard.com

bonusscommesseonline.com

mezhyhirya.com

paklfz.com

bespokewomensuits.com

smarteralarm.info

munespansiyon.com

pmtradehouse.com

hotmobile-uk.com

ntdao.com

zohariaz.com

www145123.com

oceanstateofstyle.com

palermofelicissima.info

yourkinas.com

pthwheel.net

vfmagent.com

xn--3v0bw66b.com

comsystematrisk.win

on9.party

Targets

    • Target

      TT copy 2094782.exe

    • Size

      358KB

    • MD5

      9d4da0e623bb9bb818be455b4c5e97d8

    • SHA1

      9bc2079b5dd2355f4d98a2fe9879b5db3f2575b0

    • SHA256

      091ff5f5bab1cbb2d27a32fedaff1f64dd4004e4a68665e8d606e28585d928a8

    • SHA512

      6e6fab5f4a045349717762ff782527e778b40c5f41ce32428c63aea0dd6e8b73bfdaf3ac55474275f716e9f84632906196edafc4337d816055a69b2ea0904e37

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Formbook Payload

    • Looks for VirtualBox Guest Additions in registry

    • Adds policy Run key to start application

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

5
T1082

Peripheral Device Discovery

1
T1120

Collection

Data from Local System

1
T1005

Tasks