Overview

overview

10

Static

static

orden pdf.exe

windows7_x64

10

orden pdf.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    orden pdf.exe

  • Size

    1.8MB

  • Sample

    210118-812je2qa56

  • MD5

    64ce539f8167e9cc887a87f859533933

  • SHA1

    a736ba56beb2b342468f36f63e7dce53777dbb34

  • SHA256

    f6397532d0b859cf1b26c55f29ec9af49613ce462643d4dc31478c4f231d2833

  • SHA512

    d5b763e6259ab3cc9955583ddf20a378de6f73d2286243ee5bb1453244321300ffb9bf274dd45ccf43575ddb83fd0fcd71267e11c4f2c44b0b868a905ff59e21

Score
10/10
formbookpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.joomlas123.info/n7ak/

Decoy

audereventur.com

huro14.com

wwwjinsha155.com

antiquevendor.com

samuraisoulfood.net

traffic4updates.download

hypersarv.com

rapport-happy-wedding.com

rokutechnosupport.online

allworljob.com

hanaleedossmann.com

kauai-marathon.com

bepbosch.com

kangen-international.com

zoneshopemenowz.com

belviderewrestling.com

ipllink.com

sellingforcreators.com

wwwswty6655.com

qtumboa.com

Targets

    • Target

      orden pdf.exe

    • Size

      1.8MB

    • MD5

      64ce539f8167e9cc887a87f859533933

    • SHA1

      a736ba56beb2b342468f36f63e7dce53777dbb34

    • SHA256

      f6397532d0b859cf1b26c55f29ec9af49613ce462643d4dc31478c4f231d2833

    • SHA512

      d5b763e6259ab3cc9955583ddf20a378de6f73d2286243ee5bb1453244321300ffb9bf274dd45ccf43575ddb83fd0fcd71267e11c4f2c44b0b868a905ff59e21

    Score
    10/10
    formbookpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Deletes itself

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spyware

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks