Overview

overview

10

Static

static

Quotation ...E8.exe

windows7_x64

10

Quotation ...E8.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    948e0acfa084f97be864d2d03bc72d1996ab17f1ef7aec5f9f64eef1f498adae

  • Size

    591KB

  • Sample

    220521-nest3sgfhp

  • MD5

    01463bce11a2fb41cc48f62f01ca04ad

  • SHA1

    d298e90f1eb91bafeb4e6948b844f77a7aad5a0f

  • SHA256

    948e0acfa084f97be864d2d03bc72d1996ab17f1ef7aec5f9f64eef1f498adae

  • SHA512

    160714c33f76a998d41aaf25fe82b1bdd673a22f64dc1a254768dd29f4e254ef369c2276e6d06f4c0f7a583a626357c5a5ffb7ba240ec230befd40be9b1f8283

Score
10/10
formbookhnhevasionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hnh

Decoy

stackingplans.info

landscapingcanberra.com

apxlegal.com

gzajs.com

senladvocaten.com

stephanieabella.com

indivmgtsvc.com

wildlife-botanicals.com

fingrfull.com

ustar-electric.com

timesharebefree.com

safefirstresponder.com

giliticketoperator.com

silverstarscents.com

4752condordrive.info

joomak.net

new-auto-news.com

ottodesign.store

kxg01.com

chrisoncreation.com

Targets

    • Target

      Quotation - 8 x E8.exe

    • Size

      731KB

    • MD5

      659e8ae340e34797dff706eb709cff1c

    • SHA1

      ec7e57582857f4801bbebe9ca9d96b156906be78

    • SHA256

      b1d72f54b46528f1dd2265231ea91a8dcc2a4461dc897e1f7bd8d5e915f189f2

    • SHA512

      ca3ded1c8a3237c6104f41a330f9db1ed0970ae032ce17758eeac6571e660d1196af32b71e7003e0151f692ac25db2b84f3f9751b7c397712bdb4defbafa984e

    Score
    10/10
    formbookhnhevasionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks