General

  • Target

    ATR1.exe

  • Size

    574KB

  • Sample

    200731-l1gk3tya1j

  • MD5

    020d56ce7d0a45a896c811550e05ce9d

  • SHA1

    814c8ddbc50e9e158e63bdd745d683dcb636c2a6

  • SHA256

    06078629129c4bc1abb214bbbe1bfadca65b618ac9f6f93fc3b22d0a37740f5b

  • SHA512

    ce565aafb7593d5aa8393a46d27823a90c26e923a15a77252e0be1dbae4845254aa83f35ea44c18964490a7769431aeecffb80052e1f1b5af4b44d8028122dff

Malware Config

Targets

    • Target

      ATR1.exe

    • Size

      574KB

    • MD5

      020d56ce7d0a45a896c811550e05ce9d

    • SHA1

      814c8ddbc50e9e158e63bdd745d683dcb636c2a6

    • SHA256

      06078629129c4bc1abb214bbbe1bfadca65b618ac9f6f93fc3b22d0a37740f5b

    • SHA512

      ce565aafb7593d5aa8393a46d27823a90c26e923a15a77252e0be1dbae4845254aa83f35ea44c18964490a7769431aeecffb80052e1f1b5af4b44d8028122dff

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Tasks