Overview

overview

10

Static

static

3

PIsept2020.exe

windows7-x64

10

PIsept2020.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_71381247497fba4f3392ddd62fe162201e0085a9afe1b3b9d62e7c15281d86e2

  • Size

    611KB

  • Sample

    241230-g928ns1kfz

  • MD5

    baf0d5fcc15f028c10508a0d60a2dfb0

  • SHA1

    5c11a2fdab64c8b952a8359fb8c790c976f32347

  • SHA256

    71381247497fba4f3392ddd62fe162201e0085a9afe1b3b9d62e7c15281d86e2

  • SHA512

    e60ae229bd3518bbbf3f88968997b49eeb48c4190bfbb8f7dbac1b8e8e9689cbb107a55bfa7f4854fe8e7758d5cf8500f02d9cc198a77f44db4060691cfe37e1

  • SSDEEP

    12288:qR06sA/rNmUGxyTcCpdiXgVcG9VuZutbsOTnc0NEhKpPrRqz7IL:d1AhHGMRpdesJnE+dEw

Score
10/10
formbookwt6discoveryevasionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wt6

Decoy

mdjbjsc.com

twosparrowslsbusiness.com

captipe.info

spirtofafrica.com

teacher4today.com

d9masks.com

americanveteransparks.com

originvinylvermont.com

lifeguardboat.net

neynunescuritiba.com

4activelife.xyz

tiniytie.com

schirmenworld.com

nogbeter.com

bikerm.com

higherpurposeproject.com

melloband.com

cremgrs.com

chengyuanwai.com

multiplewealthsecrets.com

Targets

    • Target

      PIsept2020.bin

    • Size

      714KB

    • MD5

      7f63c36771bdf84fdcb80b1b6a8ce300

    • SHA1

      7e027829b30e9795006725712c5666f3ff54bdbe

    • SHA256

      cba7797f53633aeb00ed0c8418ee90e28b7fe7bc4e787521eef333ff6a67c627

    • SHA512

      198cabbf51817d47165c318b3308701ccce4b04ce88712d7984deeda2c52b4baf7bf75758d77a3ceba3c5e22689a8ced13c78322fa2d6a7f950f0bd966f2129f

    • SSDEEP

      12288:EsyixjQfJkrWEm0Zux8Y8nMdByNjolspgZRZu48Jcx0Ksz5XxM4Sh:EsyIjfo0Q6NnasNjoe2vf9x0Ko5Srh

    Score
    10/10
    formbookwt6discoveryevasionratspywarestealertrojanpersistence

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • Formbook payload

      rat

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Windows security modification

      evasiontrojan

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Defense Evasion

Impair Defenses

2
T1562

Disable or Modify Tools

2
T1562.001

Modify Registry

4
T1112

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

5
T1012

System Information Discovery

4
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Virtualization/Sandbox Evasion

2
T1497

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks