Overview

overview

10

Static

static

9284392fd9...e4.exe

windows7_x64

9284392fd9...e4.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9284392fd96b31b3de8d8f664de3f0e4

  • Size

    436KB

  • Sample

    210915-wsk1dsbba4

  • MD5

    9284392fd96b31b3de8d8f664de3f0e4

  • SHA1

    9b2e8d834a7e50ec7e674433d019dbd19996036c

  • SHA256

    4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7

  • SHA512

    61efcc329ba8f50c32de43ba0bfc66e6591158c12fcb095dfa3652e54fc799255a49e44c62f2022b807d51b432050f85d94a172dc0e186af40a21e3848c7c922

Score
10/10
formbooko4mspersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o4ms

C2

http://www.nocodehost.com/o4ms/

Decoy

fishingboatpub.com

trebor72.com

qualitycleanaustralia.com

amphilykenyx.com

jayte90.net

alveegrace.com

le-fleursoleil.com

volumoffer.com

businessbookwriters.com

alpin-art.com

firsttastetogo.com

catofc.com

ref-290.com

sbo2008.com

fortlauderdaleelevators.com

shanghaiyalian.com

majestybags.com

afcerd.com

myceliated.com

ls0a.com

Targets

    • Target

      9284392fd96b31b3de8d8f664de3f0e4

    • Size

      436KB

    • MD5

      9284392fd96b31b3de8d8f664de3f0e4

    • SHA1

      9b2e8d834a7e50ec7e674433d019dbd19996036c

    • SHA256

      4f8799e5441c553ebbda342b6b06356a70dc432e5ac0434f4158146520b57ab7

    • SHA512

      61efcc329ba8f50c32de43ba0bfc66e6591158c12fcb095dfa3652e54fc799255a49e44c62f2022b807d51b432050f85d94a172dc0e186af40a21e3848c7c922

    Score
    10/10
    formbooko4mspersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks