General

  • Target

    f81b600bdc6cc3567388b747dcd8125ed1af34d1ea5aa0a8207f3e9ff08ef3c3

  • Size

    319KB

  • Sample

    220520-rqnlaabbcj

  • MD5

    ca3fdc95c72c231742846892c01b9835

  • SHA1

    27d7080b042e41d4e1bc1d3b9d66a8f55c661024

  • SHA256

    f81b600bdc6cc3567388b747dcd8125ed1af34d1ea5aa0a8207f3e9ff08ef3c3

  • SHA512

    d207dc8b17f5425df194af69506a292767398c04c1b0c3c8c20825b4a36044ff4595ca56ffbff6a2938f12db9ba9832b8dc7a645bd83df7b273db3725c844299

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Targets

    • Target

      Yeni Sifari?.exe

    • Size

      651KB

    • MD5

      ef3ca842b9c00a0bc3c40cb0c547180e

    • SHA1

      decbd80b7215eef9049542b529986359fea02ff9

    • SHA256

      cc223497fe89e227d0696798ffd12ef6037ee71dfe047483f6a8f1be69bf5754

    • SHA512

      4bd7eaf9b7c2c4c78b14788549cb71da2eb8074b81c786a6a8b0e03677a9bd1c89118a47ecd150249b46dab4798f0b00c4a5f40e15cd0a629243f90548eceede

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Formbook Payload

    • Adds policy Run key to start application

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Tasks