Overview

overview

10

Static

static

Il nuovo o...to.exe

windows7_x64

10

Il nuovo o...to.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Il nuovo ordine e nell_elenco allegato.zip

  • Size

    421KB

  • Sample

    210507-eg42e3gc6j

  • MD5

    d87e4acea13d3cdcffeeebc7fa85aa63

  • SHA1

    75357bda6ce507455a1244dc97501f6313ecebfd

  • SHA256

    cd068f9d22ec9cacacf5695544437b16d7c4c2780059c99c0b84fe8e18b21c4f

  • SHA512

    8dc3af647725fc9b1b1fb7f2f8c486ad1a0150821c77ee46ed170135fee7eb89f9b4df94fb0181f9ac7d338a4997357720335fe83512e6d76937a4c86d26f0d2

Score
10/10
formbookpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.joomlas123.info/3nop/

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Targets

    • Target

      Il nuovo ordine e nell'elenco allegato.exe

    • Size

      892KB

    • MD5

      9846100114f47c1fb95da84c09ef9f0d

    • SHA1

      715510bcef9517706b28ea506e39df8e4c8c4f5f

    • SHA256

      e01f8eb3903e53f65591dbfb5ae2dda83eb77b50ddfa598ca12fc627e35fe2fa

    • SHA512

      447b2bb4b7adc2ec150a324d1c2909b00742c3741af8996d043158436219def4899b44d69d6d1e518810cf945dc2d7b7e84e5952686bee858eb4123eb96678c0

    Score
    10/10
    formbookpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks