5aad2b6635b3069402aaf6ff389bea64

General
Target

5aad2b6635b3069402aaf6ff389bea64

Size

21KB

Sample

211125-tvsrxafgbr

Score
10 /10
MD5

5aad2b6635b3069402aaf6ff389bea64

SHA1

a8617ddffd6c934fcf3f64c6e84b1a23ffa9d092

SHA256

718dcc870c0de487595feed4e5e43dc70fba6fa2aaac15462c0ba5c20028e7bd

SHA512

2bcdcc3775f8d2a163b8b564232a5839fe625b8ab7f8b6de613b57abf436e6acb095d5bc2a081e966aa4422a9edb9a81df031d4da40add21cef4404aa45a5d3d

Malware Config

Extracted

Family formbook
Version 4.1
Campaign 9gr5
C2

http://www.cuteprofessionalscrubs.com/9gr5/

Decoy

newleafcosmetix.com

richermanscastle.com

ru-remonton.com

2diandongche.com

federaldados.design

jeffreycookweb.com

facecs.online

xmeclarn.xyz

olgasmith.xyz

sneakersonlinesale.com

playboyshiba.com

angelamiglioli.com

diitaldefynd.com

whenevergames.com

mtheartcustom.com

vitalactivesupply.com

twistblogr.com

xn--i8s140at3d6u7c.tel

baudelaireelhakim.com

real-estate-miami-searcher.site

131122.xyz

meta-medial.com

carvanaworkers.com

mimamincloor.com

aglutinarteshop.com

portal-arch.com

mandeide.com

golfteesy.com

carteretcancer.center

cuansamping.com

jhhnet.com

oetthalr.xyz

toesonly.com

ctbizmag.com

searchonzippy.com

plantedapts.com

matoneg.online

takened.xyz

meta4.life

africanizedfund.com

jukeboxjason.com

folez.online

troddu.com

802135.com

guiamat.net

gladiasol.com

meditationandyogacentre.com

metaverserealestateagent.com

boogyverse.net

melissa-mochafest.com

Targets
Target

5aad2b6635b3069402aaf6ff389bea64

MD5

5aad2b6635b3069402aaf6ff389bea64

Filesize

21KB

Score
10 /10
SHA1

a8617ddffd6c934fcf3f64c6e84b1a23ffa9d092

SHA256

718dcc870c0de487595feed4e5e43dc70fba6fa2aaac15462c0ba5c20028e7bd

SHA512

2bcdcc3775f8d2a163b8b564232a5839fe625b8ab7f8b6de613b57abf436e6acb095d5bc2a081e966aa4422a9edb9a81df031d4da40add21cef4404aa45a5d3d

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Description

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    Tags

  • Formbook Payload

    Tags

  • Blocklisted process makes network request

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Persistence
                  Privilege Escalation
                    Tasks

                    static1

                    behavioral2

                    1/10