Overview

overview

10

Static

static

5

odeme SWIFT.exe

windows7_x64

10

odeme SWIFT.exe

windows10-2004_x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    92a841c1968bcbb08c081fa2df12d16e4a8011a49600c501cc49ffbe9360e8d5

  • Size

    1.0MB

  • Sample

    220508-xq61hsafep

  • MD5

    2918f797cdf98fa40cf9508a43cb44b3

  • SHA1

    e0ce17e9c81d0aee6fd6f2a0c3793a19f98708ab

  • SHA256

    92a841c1968bcbb08c081fa2df12d16e4a8011a49600c501cc49ffbe9360e8d5

  • SHA512

    b7429dc86e00e9ff01b37bc4723b40a92d860ac6e95b4c9deefb0bd7ad39e3a8d34844cb81af67ec5c0a0585afbdfcf0a1004cc765c6ff49c5e86f692c4ac6cb

Score
10/10
formbookn7akpersistenceratspywarestealersuricatatrojanupx

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

audereventur.com

huro14.com

wwwjinsha155.com

antiquevendor.com

samuraisoulfood.net

traffic4updates.download

hypersarv.com

rapport-happy-wedding.com

rokutechnosupport.online

allworljob.com

hanaleedossmann.com

kauai-marathon.com

bepbosch.com

kangen-international.com

zoneshopemenowz.com

belviderewrestling.com

ipllink.com

sellingforcreators.com

wwwswty6655.com

qtumboa.com

Targets

    • Target

      odeme SWIFT.exe

    • Size

      1.6MB

    • MD5

      586e761b6f03a2ea904ca2b3c8ad24e2

    • SHA1

      34893070fbd5fa441bdff1313c20793c25d1e7c0

    • SHA256

      199533f77cb4331908a90346f24610888ef42d6dd2f9866b733752426702e737

    • SHA512

      67058f6f9932d17bffefa2c6780b85f4c7fc731addbf15df4cff694e0067d29833103e23315a5c767f0cd4a6bd5ac810519b86760142caf78c49e21d47013a9e

    Score
    10/10
    formbookn7akpersistenceratspywarestealersuricatatrojanupx

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Deletes itself

    • Drops startup file

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks