General

  • Target

    b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d

  • Size

    581KB

  • Sample

    240507-azeajaae41

  • MD5

    8ebd77032131fa4c9a524b48f241f6ce

  • SHA1

    0cc05beba021427f9a8b6d3b1395bf820355a820

  • SHA256

    b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d

  • SHA512

    a3655e41379df08f23a3242bec23464d261e562785d298b2372275c9040d137209ca9cb6a7e863a796aae02f502456e800a701d0d02de5fcae71c4399a7c832f

  • SSDEEP

    6144:TBMEPlABQ0OaqtszpR8V2hYHgORzw+A9PVsZWeDkDu+I2h7whAzO0KZfNrH/:T9Aq0OaqO/8VTXsNvkRNBXZfNL/

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

sk

Decoy

ordersakeonline.net

denisekeelebedford.com

vincentbibuld.com

theswordslinger.com

360sowo.com

birimtihanmevsimi.com

loatta.com

vcmwp.info

arthribon.com

penwortham.church

18666964931.com

publibcn.com

purplekisscouture.com

siquieroceremonias.com

4111zzzzz.com

mvpsportstherapy.info

3rdlegion.com

draguleatherworks.com

kp-sonia.com

mysciencegarden.education

Targets

    • Target

      b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d

    • Size

      581KB

    • MD5

      8ebd77032131fa4c9a524b48f241f6ce

    • SHA1

      0cc05beba021427f9a8b6d3b1395bf820355a820

    • SHA256

      b79369c7e79099736c882b54a54898237dc1506acef308849e8cfa88277de46d

    • SHA512

      a3655e41379df08f23a3242bec23464d261e562785d298b2372275c9040d137209ca9cb6a7e863a796aae02f502456e800a701d0d02de5fcae71c4399a7c832f

    • SSDEEP

      6144:TBMEPlABQ0OaqtszpR8V2hYHgORzw+A9PVsZWeDkDu+I2h7whAzO0KZfNrH/:T9Aq0OaqO/8VTXsNvkRNBXZfNL/

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Detects executables packed with Cassandra/CyaX

    • Detects executables packed with ConfuserEx Custom; outside of GIT

    • Formbook payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks