General

  • Target

    6.exe

  • Size

    906KB

  • Sample

    210419-fltdchp83a

  • MD5

    69802992de34a4988baf0045a2d1dccf

  • SHA1

    5a568d6d7a56a1f1bd81a6dd5a7487a7b7b6dff3

  • SHA256

    de9d32e10118cdc282e1e20d42c53c061f0d9c727c88af95f8d9059ea163e2f6

  • SHA512

    a1a5e73f86ab933256a3689c1ad06f17534a06ac0cc8446a5e23c462e787d56b9887399660823ebfed7b0069745624e48a8acd1575e98efcb273dbe006dfe202

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.joomlas123.info/n7ak/

Decoy

audereventur.com

huro14.com

wwwjinsha155.com

antiquevendor.com

samuraisoulfood.net

traffic4updates.download

hypersarv.com

rapport-happy-wedding.com

rokutechnosupport.online

allworljob.com

hanaleedossmann.com

kauai-marathon.com

bepbosch.com

kangen-international.com

zoneshopemenowz.com

belviderewrestling.com

ipllink.com

sellingforcreators.com

wwwswty6655.com

qtumboa.com

Targets

    • Target

      6.exe

    • Size

      906KB

    • MD5

      69802992de34a4988baf0045a2d1dccf

    • SHA1

      5a568d6d7a56a1f1bd81a6dd5a7487a7b7b6dff3

    • SHA256

      de9d32e10118cdc282e1e20d42c53c061f0d9c727c88af95f8d9059ea163e2f6

    • SHA512

      a1a5e73f86ab933256a3689c1ad06f17534a06ac0cc8446a5e23c462e787d56b9887399660823ebfed7b0069745624e48a8acd1575e98efcb273dbe006dfe202

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Formbook Payload

    • Adds policy Run key to start application

    • Executes dropped EXE

    • Modifies Installed Components in the registry

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

3
T1060

Defense Evasion

Modify Registry

4
T1112

Discovery

System Information Discovery

1
T1082

Tasks