Overview

overview

10

Static

static

INV-COPY##...df.exe

windows7_x64

10

INV-COPY##...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7a0d901c8b9b67190044d81bfe56f8df6d175f46a9279de7d2207cd2c212a1af

  • Size

    295KB

  • Sample

    220420-kyvagaeac9

  • MD5

    ca6db9f0415fa20dc1f9f065027c2ff0

  • SHA1

    a102768f24ded1416c42f12ea54bdc8def8c795d

  • SHA256

    7a0d901c8b9b67190044d81bfe56f8df6d175f46a9279de7d2207cd2c212a1af

  • SHA512

    eeb247262a0964d46fa47cd77a9df8f851cad7b7ceeede73741233f02513f35b94e9318a828726b47aeb34e400f457c4a40a39003f79a0099011309fb0a3c5b8

Score
10/10
formbooktnkpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tnk

Decoy

lafioletto.com

mgiuj.com

wolllafvixzies.win

wwwsbvip123.com

nadyaasnae.com

noticesinvoice2017.com

intercapati.com

tg8895.com

9245654874.com

lytsxc.info

rffuf3-liquidwebsites.com

verguet.com

peinturefleursetfemmes.com

xttmrama.com

cryptoinvestmentideas.com

kikumasacarparts.win

freeapk1.com

tasteofimagination.com

gxzyoa.com

cq-mingwei.com

Targets

    • Target

      INV-COPY##5673245367.pdf.exe

    • Size

      370KB

    • MD5

      ed10ee915e1021997c1de8de34c8c614

    • SHA1

      060391504b94d40da85f7ec620cc342eaf7f3a55

    • SHA256

      0a3ccff2a6b6ee6c506c71db29a49c6e7651a562b8c2c60c8bca3d8c48355875

    • SHA512

      93e1900388f76bf08354c42e86eabe4b306a077f1e791e660cfd1e276b6e20b15b42d9c579f1d3c0691144efb6f1814de7e20c53db7a372c17f312b275921167

    Score
    10/10
    formbooktnkpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks