Overview

overview

10

Static

static

3

t9w7eLEE781llAk.exe

windows7-x64

10

t9w7eLEE781llAk.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_5309bd66ae8e9862db4fc8c7221e69b4fab0d4acfc27ad60f8b79b56626ea2d5

  • Size

    1.2MB

  • Sample

    241225-zchrwaxjfl

  • MD5

    4153e97a7f99c8e80ff711b8b84654d3

  • SHA1

    b57a11c174cd49da7c01304bdb5f78dc9583c59c

  • SHA256

    5309bd66ae8e9862db4fc8c7221e69b4fab0d4acfc27ad60f8b79b56626ea2d5

  • SHA512

    8a0daafbd2a43a27974835bffb8163431767ad20a243e928def08dbd13f2ee033a1f6e75dfa88302af84a845d646178bc70a2bf66d2de9ed7f3be0bdc4de776d

  • SSDEEP

    24576:swGOGntHnxVwHsfjsHYX/K/lsEwTS0xvEnPVT9lODBoykaqLYdEU+RMqKK:NqtH0As4X/qGZxWdT9lOtBkS+yK

Score
10/10
formbookrujediscoveryevasionexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ruje

Decoy

pelezinhojj.com

tf2landscape.com

dianyuanb2b.com

franklinvisioncenter.net

sdamanagement.net

k7kitchendessert.com

receipeday1.xyz

urbandbracelets.com

lyticstnpasumo5.xyz

pingwangjinrong.com

crocodials.com

beeldacademie.com

loverlykids.com

yougouelectronics.com

ayushbeautypharma.com

fortinetpartnersynergy.com

olimplinfo.xyz

nzn2.com

3brlck.com

htp-352vvm.com

Targets

    • Target

      t9w7eLEE781llAk.exe

    • Size

      1.3MB

    • MD5

      3903301e617641ad7609ca7e09b4bb80

    • SHA1

      2544df38e978f6aaf53ca5ccbb4078befa745351

    • SHA256

      83f231a4e196b10089d16db819c71bfc5cc543fb55ea5ea63aee2d1285ff3dc3

    • SHA512

      fcb598ae444827eb6bdac4567ffcb1b18af792f6d4d19e9b788543994ab5b53529c5df21d45681ec45cd76f49477fa1f789a0db0ad73f00ba6e75272af912851

    • SSDEEP

      24576:B7YXNa2kita4HBIb6kFgaGvVNfZM58gN8GdvwPJORyyIwU6XOHtEga:hQa2kit4GksxMOPuvwIKX2Oyga

    Score
    10/10
    formbookrujediscoveryevasionexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Formbook payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks