Overview

overview

10

Static

static

order SEC.exe

windows7_x64

10

order SEC.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1f7fab26098e805c651f1c6fdbbfb99e1d1de4cf0c4564d0ff460aae879d815a

  • Size

    230KB

  • Sample

    220520-qt4k8seah6

  • MD5

    a191e2b46788dc477b0c2bc8a52ef502

  • SHA1

    6e23d973f003cc9b73b8a98dcb01c4f9983366a6

  • SHA256

    1f7fab26098e805c651f1c6fdbbfb99e1d1de4cf0c4564d0ff460aae879d815a

  • SHA512

    7519ec7f52a373dd3898e9a5847961442fa29f96b97a1305c225b2ad1edc0fb02149bb0f894f20ca4392b86fa12a803ef459e268fb3bff52a0c63ed2360aba96

Score
10/10
formbookg8upersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

g8u

Decoy

stuition.com

mj-sculpture.com

cannatainmentevents.com

dianjintang.com

rmlusitania.info

effet-spiruline.com

flatheme.com

supergaminator-vip.com

craftyourmagic.com

lakai.ltd

electionshawaii.com

iqpdct.com

thebestfourstarhotels.com

satoshiceo.com

saintmartiner.com

brothersmarinetoronto.com

citicoin.online

scentsationalsniffers.com

hellonighbourgameees.com

displayonline-france.com

Targets

    • Target

      order SEC.exe

    • Size

      303KB

    • MD5

      d0b89f322dfa77b6a13aabf7f7984f87

    • SHA1

      81d40efb20f6dbfdb8e14a87c57d26b5dc9217d9

    • SHA256

      228e2e5ff30fec5cdde918f48e98664d9bf1f77f550666baa21208ca9b047af4

    • SHA512

      ee98f698267f78abe777276a6853f17499098f9de546ee87ccd4eafd1bc361a0340625a0a9defb11380396297f5fb3200fba14822571618574e127403a88930e

    Score
    10/10
    formbookg8uratspywarestealertrojanpersistencesuricata

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks