Overview

overview

10

Static

static

61f55bceba...e9.exe

windows7_x64

10

61f55bceba...e9.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    61f55bceba5b9a52c750555d62fc7ae9

  • Size

    973KB

  • Sample

    211021-xbrmaabefq

  • MD5

    61f55bceba5b9a52c750555d62fc7ae9

  • SHA1

    57f083ea441e1a67c2c1a99d264474ee49388fe7

  • SHA256

    7080315530bc6d7ead65034c1587e4596d9dbf0fc17107fbb28f84bf016009f9

  • SHA512

    f7f00c594d03a73dd8b3c85df4a2ad17aac0fab0ab274ac08ee5dadb51218ce49ec7c89f8feaf0805a49fd8f11abbf29a0d397a248467d4f17fda37290dd9712

Score
10/10
formbookog2wpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

og2w

C2

http://www.wakecountyrealtyexpert.com/og2w/

Decoy

patriotxf.com

thecreagles.com

riverdenim.com

cybqo.com

zzfangnan.com

empowerhis.com

resiliencewearmiami.com

myticketly.com

pistachio.land

13055.club

millennialsofacertainage.com

jnxdsgc.com

pixelsandplastic.digital

bugroster.com

chargedockz.com

gzyazsp.com

sintec-consultores.com

pourtonmobile.com

upmhss.com

amkanalrajhi.com

Targets

    • Target

      61f55bceba5b9a52c750555d62fc7ae9

    • Size

      973KB

    • MD5

      61f55bceba5b9a52c750555d62fc7ae9

    • SHA1

      57f083ea441e1a67c2c1a99d264474ee49388fe7

    • SHA256

      7080315530bc6d7ead65034c1587e4596d9dbf0fc17107fbb28f84bf016009f9

    • SHA512

      f7f00c594d03a73dd8b3c85df4a2ad17aac0fab0ab274ac08ee5dadb51218ce49ec7c89f8feaf0805a49fd8f11abbf29a0d397a248467d4f17fda37290dd9712

    Score
    10/10
    formbookog2wpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks