General
-
Target
5114955491d5400511f2c6d6efdc4338d0f7ef7b85f4f3b1d66ffa78f796b81a
-
Size
274KB
-
Sample
220521-dh2laafgb7
-
MD5
c9ff3c2135d57620806738a498933592
-
SHA1
4394db5449fd92bfda74a60d482466ca3b16a482
-
SHA256
5114955491d5400511f2c6d6efdc4338d0f7ef7b85f4f3b1d66ffa78f796b81a
-
SHA512
eb1f16834d6337d798ce74a97486a39b9602b8fb216cc5e7d32e864128d838ed75fb502aa5519f000db2498fa863eb89f21e4f81913363d1e33b3ab785f4b35d
Malware Config
Extracted
formbook
3.9
zc9
jncnsbc.net
joserodriguezmedinaehijos.seat
hirasyour-onestoptailor.net
ratch328.com
monroauto.com
tropicservicesoffer.com
dubaiangels-mail.net
brookerenee.com
service-support.business
softvikram.com
shuyabaojie.com
peiqilai.com
depart.ltd
srtextilesonline.com
li-h.net
lawssales.com
middlestream2014.com
tribemarketer.com
leaawards.com
fztzlc.com
Targets
-
-
Target
Demand.exe
-
Size
311KB
-
MD5
494a613b4431fab36d742a03b9346f38
-
SHA1
401ab4d705dfd2fa401ceda974cea623d4d773bb
-
SHA256
75952934e5ef6bb74f29c3320ef112e219cc953dc5ed8c351d742448f61161ff
-
SHA512
b939cedd41ec3f60e0054ea75eaede0875988bb4ff9da1cf2a4241f23833d4b8cc9fa3aad465332778bfe1dbcb1932f14249cbadec8ba4b232092be59af23ece
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Modifies Windows Defender Real-time Protection settings
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
suricata: ET MALWARE FormBook CnC Checkin (POST) M2
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Adds policy Run key to start application
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-