Overview

overview

10

Static

static

copias SWI...96.exe

windows7_x64

10

copias SWI...96.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    copias SWIFT 2001736696.exe

  • Size

    886KB

  • Sample

    210804-lrmlsh6bse

  • MD5

    a4d36c26bb40008d29253076a08266fe

  • SHA1

    7239d87ab55386ca6d328ccb00f67b912972e420

  • SHA256

    10e69f027081ac8e4522e8e38ad5f30d3bb0526d421c2273b14b9726662ad770

  • SHA512

    56f35e906e522b5a2575a379dbddfed9eb32112f56fe6bda4163524e3dbdb0be7927441ab78834ebf7e685e995c0df9ecff7d526e59eacaaa9ac2c0b67c713dd

Score
10/10
formbookmodiloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.kmresults.com/n7ak/

Decoy

modischoolcbse.com

theneverwinter.com

rszkjx-vps-hosting.website

fnihil.com

1pbet.com

nnowzscorrez.com

uaotgvjl.icu

starmapsqatar.com

ekisilani.com

extradeepsheets.com

jam-nins.com

buranly.com

orixentertainment.com

rawtech.energy

myol.guru

utex.club

jiapie.com

wowig.store

wweidlyyl.com

systaskautomation.com

Targets

    • Target

      copias SWIFT 2001736696.exe

    • Size

      886KB

    • MD5

      a4d36c26bb40008d29253076a08266fe

    • SHA1

      7239d87ab55386ca6d328ccb00f67b912972e420

    • SHA256

      10e69f027081ac8e4522e8e38ad5f30d3bb0526d421c2273b14b9726662ad770

    • SHA512

      56f35e906e522b5a2575a379dbddfed9eb32112f56fe6bda4163524e3dbdb0be7927441ab78834ebf7e685e995c0df9ecff7d526e59eacaaa9ac2c0b67c713dd

    Score
    10/10
    formbookratspywarestealersuricatatrojanmodiloaderpersistence

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks