Overview

overview

10

Static

static

file.rtf

windows7_x64

10

file.rtf

windows10_x64

5

Sharing

Copy URL
Twitter E-mail

General

  • Target

    file

  • Size

    2.1MB

  • Sample

    210122-72d51tx8hn

  • MD5

    8722742e5c06fa177d89e333eb144672

  • SHA1

    0e47b669b2e65a2feda0acdf07e654b358dacb2e

  • SHA256

    415df6eced9ab10f5acdc12b53746463692d9ba2e697dee481989300e4ae98e1

  • SHA512

    6b024bd1a1c23b52409a08321d25582b5487476205d377354cf152d7befb379ff53bbbe0a4ab339dac0dccd8cc8a21fe9e8846bb9ff5d80ba9dc7b6280176173

Score
10/10
formbookransomwareratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.transparentpetcrate.com/lnb/

Decoy

sauschwein.info

ywpntv.com

gironbeautysalon.online

cryptogeekstuff.com

leosrock.com

sistersv.space

ilss.life

vshuzi.com

europeanculinarymagic.com

mdtlalab.com

boletasenorden.com

eebushe11.com

sms8888.com

arrogantjerxs.com

aboudmotors.com

vzuels.com

searko.com

thathealthysoul.com

365wt38493984284.com

solarpanelsystemflorida.com

Targets

    • Target

      file

    • Size

      2.1MB

    • MD5

      8722742e5c06fa177d89e333eb144672

    • SHA1

      0e47b669b2e65a2feda0acdf07e654b358dacb2e

    • SHA256

      415df6eced9ab10f5acdc12b53746463692d9ba2e697dee481989300e4ae98e1

    • SHA512

      6b024bd1a1c23b52409a08321d25582b5487476205d377354cf152d7befb379ff53bbbe0a4ab339dac0dccd8cc8a21fe9e8846bb9ff5d80ba9dc7b6280176173

    Score
    10/10
    formbookransomwareratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Formbook Payload

      rat

    • Blocklisted process makes network request

    • Drops file in System32 directory

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

3
T1082

Query Registry

2
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks