Overview

overview

10

Static

static

yeni sipar...ma.exe

windows7_x64

10

yeni sipar...ma.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    930ce81bea6819c32ad02f82e331f62c1339dcc0df585dc5b7c9dc06165eb1e0

  • Size

    620KB

  • Sample

    220521-aexldaabc8

  • MD5

    7b2d13d490b4cff7637b9cdc3cc505e1

  • SHA1

    e2abe36f6bdaca34179f07536c797f416d7f5e62

  • SHA256

    930ce81bea6819c32ad02f82e331f62c1339dcc0df585dc5b7c9dc06165eb1e0

  • SHA512

    530526c0e5fe4bbd2c9cb3661f7e8d445363f1f11bf5c087523b4aef4c30af064c64b6d1888e871b048b207263dbe7ad8704a6a52d3ce73673d232cafe9ddabd

Score
10/10
formbookkvszpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

okashyns.com

sbsgamedaejeon-two.com

drb77.com

top5dating.com

websprings.online

voizers.com

zenith.site

lahistoriade.com

qv85.com

armandonieto.com

priestvedic.com

jessandjeff.net

magic-desktop.com

jitaji.com

ldmeili.com

yuwanqingmy.com

buzhouorg.com

chaiseloungereviews.com

m2g8way.com

freespin-support.com

Targets

    • Target

      yeni sipari? sorgulama.exe

    • Size

      813KB

    • MD5

      645876569da3612ca1ccef31d94c348d

    • SHA1

      6af515a9cd19b313223e52d0ab20b4405b184820

    • SHA256

      6d176caf6c21bdc47aa0ee2e6e42f37d2f4c4a810af40dd7343da25cfd306bd5

    • SHA512

      d002461b4c0c87cfffdecde830b3bd1b319fff7866a0b15d07ed6e342f60f657f396a15a38e01c70216b9ea20f02f39797449f97ac3a80ed4421d091074b6b84

    Score
    10/10
    formbookkvszpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks