1276c85709b33cafab4e0079f409ea0c83e41d97e30dcc50a11cce385f10d62e

General
Target

1276c85709b33cafab4e0079f409ea0c83e41d97e30dcc50a11cce385f10d62e

Size

547KB

Sample

220521-b5zn4agbbk

Score
10 /10
MD5

db14522bbafc3685be539d663df51f9c

SHA1

5fcb0d12faa27945252f8a7921d75175f17bb42a

SHA256

1276c85709b33cafab4e0079f409ea0c83e41d97e30dcc50a11cce385f10d62e

SHA512

337a748c06641569b9729e923a897d8048cc43ce03d7baf849fe3b16aade5a0605592a32109d6b026caf6cc7f6ec19321dbfb76d21d2ad174fb3793b4a0204ae

Malware Config

Extracted

Family formbook
Version 4.1
Campaign mmw
Decoy

horticulture.biz

sues7011.com

wowingaspf.com

azimutlab.com

lifetiptopics.com

bettersanitary.com

autocuiseur-electrique.com

92kvip.com

scrumguys.com

northwestnova.com

johnzeng.ink

2941brightoncreekct.com

lifewithjulie.com

kurtglobal.net

samuelslang.win

sekolahpaketonline.com

ylfmm.info

rentini.net

fenerliyim.com

indierooftop.com

collegetycoon.com

cleaningcranberry.com

kbvqnaaq.com

mozartoffshore.com

fonu.ltd

domaine-mr.com

driprealty.net

liaoyuan9.com

vanessas.fitness

christopherboalewing.com

simplefavorevents.com

greatwesylife.com

zhongqingshuiwushi.com

488w66.com

comingu.com

studioloannguyen.com

nepalmovie.com

trashbrowns.com

3-treasures.com

fixingbaldness.com

xn--crinblanc-93a.com

052ygh.info

southwestvations.com

dzzsedu.com

alexagoraphobia.com

xn--6ssw80aisjn63a.com

md-consortium.com

wheatgrasslab.com

773sy.com

daftd.com

Extracted

Family xloader
Version 2.0
Campaign b6fg
Decoy

multlockmt5.com

mohajrannoor.com

robynhoodofretail.info

belinv.com

hotellasab.com

kibrismosad.com

xn--fxwm39aeb590h.xn--io0a7i

resetbrasil.com

tcsonhvac.com

theresav.net

bohoqi.info

machinafuturae.com

mambavault.com

xn--980am9a.top

yumiang.com

evntmonitor.com

83003kk.com

triterm.com

8800pe.com

silvanstudio.com

taragon-entertainment.com

ahly-live.com

ucpprint.com

betscrum.com

homehit.house

taab3.net

martiswatches.com

cartel-sinaloa.com

flyfuncenter.com

lezhen.top

aiotstairlift.com

selfless-entrepreneur.com

easttaiwansurftrip.com

descubriendonoruega.com

wicoru.com

tacmktg.com

callisterlawgroup.com

khogiaychinhhang.com

hobianak.com

pole-entrepreneur.net

callumjcummings.com

sgknox.com

xn--zuneauspolen-gcb.com

wwwjinsha622.com

everyoneschocolate.com

medlplayground.com

honeynray.com

whackajudge.com

alwarren.com

venglishhouse.com

Targets
Target

2nd PO389733.exe

MD5

e4df03f1fc29eb4fc32a0801b26ce6ed

Filesize

351KB

Score
10/10
SHA1

1c487bae47d8f81ab5b2f851ace41b3520e0e77e

SHA256

ece024ccd4accbc99e106f03c4b4764765b37615e3caa0b021084ac5f689cc3e

SHA512

f89812a4a5ed11d10c6880e34a2bd34a6f0f96b929fd1bcf3790227505c256abd17ea5f3411529aab9db0c850b3449adcb2399541c52cb3856ebc9800e15f179

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Formbook Payload

    Tags

  • Adds policy Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Uses the VBS compiler for execution

    TTPs

    Scripting
  • Suspicious use of SetThreadContext

Related Tasks

Target

PO389732.exe

MD5

4cd3bc98fa3df22248c7e5d63dbe1168

Filesize

325KB

Score
10/10
SHA1

fb32e85f940945c6c0d3052b80f48f5bc48f7c7d

SHA256

cde5b9157162c55139f508884d7be6be903acc9d85842a667c1b2ef04a1ecd49

SHA512

0b2d2ada876da8ae777b80f2b99895b62449052e723ef5c6a71d02c317dc6c34346f1a35ea875149f2ebd94b775a7b8e3f2e712e2765e0e2fe82c2ec7376896e

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • Xloader

    Description

    Xloader is a rebranded version of Formbook malware.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Description

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Tags

  • Xloader Payload

    Tags

  • Adds policy Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Executes dropped EXE

  • Deletes itself

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Exfiltration
      Impact
        Initial Access
          Lateral Movement
            Privilege Escalation