Overview

overview

10

Static

static

8

ghy87ck.msi

windows7_x64

10

ghy87ck.msi

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ghy87ck.msi

  • Size

    240KB

  • Sample

    210714-816frxvyts

  • MD5

    9c65bfe1486bdf4451757715342f481a

  • SHA1

    80196fcf884163d6daba116ae6ced64797ea5675

  • SHA256

    a7338368a74ea858b07c282d8a0bbff371f6154c9140d34d74311e0d3e1f15c0

  • SHA512

    f18d2ded359b3835d2b75f08af4ad389cc872d5efc478c06bdd4a19d980bdf8276522eb9db516387fb599985f295569dda14eace871fafbf4dc7f92610982031

Score
10/10
formbookmacroratspywarestealertrojanxlm

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.craftsman-vail.com/cca/

Decoy

whenpigsflyhigh.com

artistiklounge.com

tinytrendstique.com

projektpartner-ag.com

charvelevh.com

easycompliances.net

zengheqiye.com

professionalmallorca.com

bonzerstudio.com

nelivo.com

yangxeric.com

aredntech.com

twincitieshousingmarket.com

allshadesunscreen.com

xiang-life.net

qmcp00011.com

lindsayeandmarkv.com

fbcsbvsbvsjbvjs.com

saveonthrivelife.com

newdpo.com

Targets

    • Target

      ghy87ck.msi

    • Size

      240KB

    • MD5

      9c65bfe1486bdf4451757715342f481a

    • SHA1

      80196fcf884163d6daba116ae6ced64797ea5675

    • SHA256

      a7338368a74ea858b07c282d8a0bbff371f6154c9140d34d74311e0d3e1f15c0

    • SHA512

      f18d2ded359b3835d2b75f08af4ad389cc872d5efc478c06bdd4a19d980bdf8276522eb9db516387fb599985f295569dda14eace871fafbf4dc7f92610982031

    Score
    10/10
    formbookratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

Peripheral Device Discovery

2
T1120

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks