61f55bceba5b9a52c750555d62fc7ae9

General
Target

61f55bceba5b9a52c750555d62fc7ae9

Size

973KB

Sample

211021-xbrmaabefq

Score
10 /10
MD5

61f55bceba5b9a52c750555d62fc7ae9

SHA1

57f083ea441e1a67c2c1a99d264474ee49388fe7

SHA256

7080315530bc6d7ead65034c1587e4596d9dbf0fc17107fbb28f84bf016009f9

SHA512

f7f00c594d03a73dd8b3c85df4a2ad17aac0fab0ab274ac08ee5dadb51218ce49ec7c89f8feaf0805a49fd8f11abbf29a0d397a248467d4f17fda37290dd9712

Malware Config

Extracted

Family formbook
Version 4.1
Campaign og2w
C2

http://www.wakecountyrealtyexpert.com/og2w/

Decoy

patriotxf.com

thecreagles.com

riverdenim.com

cybqo.com

zzfangnan.com

empowerhis.com

resiliencewearmiami.com

myticketly.com

pistachio.land

13055.club

millennialsofacertainage.com

jnxdsgc.com

pixelsandplastic.digital

bugroster.com

chargedockz.com

gzyazsp.com

sintec-consultores.com

pourtonmobile.com

upmhss.com

amkanalrajhi.com

tenloe076.xyz

sisoow.quest

coil.company

suddennnnnnnnnnnn32.xyz

foolands.com

americanslinked.com

comprerapido.net

shock.agency

daomogul.com

brightsandstudio.net

paycourtf.com

cheaterbnuahe.xyz

atencionespecializada24.store

hyperado.com

tournusol.com

tamzeedhossain.xyz

h5aolyhh6.com

bytroletu.quest

ergobear.com

teamfsu.club

royallecleaning.com

sarrosh.com

cuvedevelopment.com

gb2022-club.com

liberbankrtes.com

journeyresearchstudy.com

laundryexpressoakland.com

mainmanmemories.com

learnliberate.com

syktxny.com

Targets
Target

61f55bceba5b9a52c750555d62fc7ae9

MD5

61f55bceba5b9a52c750555d62fc7ae9

Filesize

973KB

Score
10 /10
SHA1

57f083ea441e1a67c2c1a99d264474ee49388fe7

SHA256

7080315530bc6d7ead65034c1587e4596d9dbf0fc17107fbb28f84bf016009f9

SHA512

f7f00c594d03a73dd8b3c85df4a2ad17aac0fab0ab274ac08ee5dadb51218ce49ec7c89f8feaf0805a49fd8f11abbf29a0d397a248467d4f17fda37290dd9712

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Description

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Tags

  • Formbook Payload

    Tags

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local System Credentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup Folder Modify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation