Overview

overview

10

Static

static

2nd PO389733.exe

windows7_x64

10

2nd PO389733.exe

windows10-2004_x64

7

PO389732.exe

windows7_x64

10

PO389732.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1276c85709b33cafab4e0079f409ea0c83e41d97e30dcc50a11cce385f10d62e

  • Size

    547KB

  • Sample

    220521-b5zn4agbbk

  • MD5

    db14522bbafc3685be539d663df51f9c

  • SHA1

    5fcb0d12faa27945252f8a7921d75175f17bb42a

  • SHA256

    1276c85709b33cafab4e0079f409ea0c83e41d97e30dcc50a11cce385f10d62e

  • SHA512

    337a748c06641569b9729e923a897d8048cc43ce03d7baf849fe3b16aade5a0605592a32109d6b026caf6cc7f6ec19321dbfb76d21d2ad174fb3793b4a0204ae

Score
10/10
formbookxloaderb6fgmmwloaderpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mmw

Decoy

horticulture.biz

sues7011.com

wowingaspf.com

azimutlab.com

lifetiptopics.com

bettersanitary.com

autocuiseur-electrique.com

92kvip.com

scrumguys.com

northwestnova.com

johnzeng.ink

2941brightoncreekct.com

lifewithjulie.com

kurtglobal.net

samuelslang.win

sekolahpaketonline.com

ylfmm.info

rentini.net

fenerliyim.com

indierooftop.com

Extracted

Family

xloader

Version

2.0

Campaign

b6fg

Decoy

multlockmt5.com

mohajrannoor.com

robynhoodofretail.info

belinv.com

hotellasab.com

kibrismosad.com

xn--fxwm39aeb590h.xn--io0a7i

resetbrasil.com

tcsonhvac.com

theresav.net

bohoqi.info

machinafuturae.com

mambavault.com

xn--980am9a.top

yumiang.com

evntmonitor.com

83003kk.com

triterm.com

8800pe.com

silvanstudio.com

Targets

    • Target

      2nd PO389733.exe

    • Size

      351KB

    • MD5

      e4df03f1fc29eb4fc32a0801b26ce6ed

    • SHA1

      1c487bae47d8f81ab5b2f851ace41b3520e0e77e

    • SHA256

      ece024ccd4accbc99e106f03c4b4764765b37615e3caa0b021084ac5f689cc3e

    • SHA512

      f89812a4a5ed11d10c6880e34a2bd34a6f0f96b929fd1bcf3790227505c256abd17ea5f3411529aab9db0c850b3449adcb2399541c52cb3856ebc9800e15f179

    Score
    10/10
    formbookmmwpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      PO389732.exe

    • Size

      325KB

    • MD5

      4cd3bc98fa3df22248c7e5d63dbe1168

    • SHA1

      fb32e85f940945c6c0d3052b80f48f5bc48f7c7d

    • SHA256

      cde5b9157162c55139f508884d7be6be903acc9d85842a667c1b2ef04a1ecd49

    • SHA512

      0b2d2ada876da8ae777b80f2b99895b62449052e723ef5c6a71d02c317dc6c34346f1a35ea875149f2ebd94b775a7b8e3f2e712e2765e0e2fe82c2ec7376896e

    Score
    10/10
    formbookxloaderb6fgloaderpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Xloader

      Xloader is a rebranded version of Formbook malware.

      loaderxloader

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Xloader Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

3
T1060

Privilege Escalation

Defense Evasion

Modify Registry

6
T1112

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks