Overview

overview

10

Static

static

orden de compra.exe

windows7_x64

10

orden de compra.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    259e5ef027d03917665224d147607bb75367f2089e66633d6fa7d7918b7a6706

  • Size

    356KB

  • Sample

    220520-2l11xsfeg5

  • MD5

    a09661bf64377054fe62276e8f4a9c48

  • SHA1

    480a86f34bee80ae3d5326411c77e376c1c3471e

  • SHA256

    259e5ef027d03917665224d147607bb75367f2089e66633d6fa7d7918b7a6706

  • SHA512

    a16c789fb6898c8e5e2a14019005cc1c6cad3b2bceefdf2dea65e55f9b2f2aa6529ac18d41cef34ac60c356eca285a183b57589a36c971cdac16b8b8136b94ac

Score
10/10
formbookkvszpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

okashyns.com

sbsgamedaejeon-two.com

drb77.com

top5dating.com

websprings.online

voizers.com

zenith.site

lahistoriade.com

qv85.com

armandonieto.com

priestvedic.com

jessandjeff.net

magic-desktop.com

jitaji.com

ldmeili.com

yuwanqingmy.com

buzhouorg.com

chaiseloungereviews.com

m2g8way.com

freespin-support.com

Targets

    • Target

      orden de compra.exe

    • Size

      442KB

    • MD5

      e9af9f387d78e1f4ee36f4f477bbdbad

    • SHA1

      27dcc86366c3b154f68290ea5663de6e42522478

    • SHA256

      9bd3202d7f71a48a80d612198106d7180c0e0350a79c970863ec0cd19cc6b47a

    • SHA512

      68c94011095e67e6bbd695573895f5b7df262777b10f6eb7ae9b9bd867f56c30dcabb3c3aab340ce579c68feb958da1a495cfdd691f7188e001afaa2b3dcfc04

    Score
    10/10
    formbookkvszratspywarestealertrojanpersistencesuricata

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks