Overview

overview

10

Static

static

Lista de o...DF.exe

windows7_x64

6

Lista de o...DF.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Lista de orden_.0927272829229.PDF.zip

  • Size

    366KB

  • Sample

    220316-v1rx8sdfgj

  • MD5

    f614eb3e41163f8e990eeb0235c35dd2

  • SHA1

    ee360a6e2aebd65332269d696c1348fdc12f588f

  • SHA256

    382db49b891a9d2df05ce4ca1335868fa3cff3896ca905d56c84baa5b28371b0

  • SHA512

    5a78e30bacebbe02bd9d2b0b0cb984bf18a13f86d280ba3aef1b6f6dcab9ed559fdb632b673d16e56e91ce2a6c60b134658318aea396b1b6d6e0a883ed2f0b7b

Score
10/10
formbook3noppersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

videohm.com

panache-rose.com

alnooncars-kw.com

trueblue2u.com

brussels-cafe.com

ip2c.net

influenzerr.com

rbcoq.com

zzful.com

drainthe.com

sumaholesson.com

cursosaprovados.com

genotecinc.com

dbrulhart.com

theapiarystudios.com

kensyu-kan.com

dkku88.com

tikhyper.com

aztecnort.com

homebrim.com

Targets

    • Target

      Lista de orden?.0927272829229.PDF.exe

    • Size

      683KB

    • MD5

      5879dcb6632d8c3d53f39a29e86cdcce

    • SHA1

      97c358a006711c52a4647c3db520a9fdb575e952

    • SHA256

      a84bdf209b862ffbdf3d963611eec3c1c2d70024e24041727a49bc618d6ff4cd

    • SHA512

      80778f7cfdea1f20b8a44a4633558dfc22475cadeb54b9477cb739d59f85c70a26b8b9dab84c62347d719438849cb91ef0da8de174af022c09b87d2a06c6d4eb

    Score
    10/10
    persistenceformbook3nopratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Registers COM server for autorun

      persistence

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Executes dropped EXE

    • Sets file execution options in registry

      persistence

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

3
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks