Overview

overview

10

Static

static

RFQ #005460.exe

windows7_x64

10

RFQ #005460.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fe1e12e4d258ee81553219aba85ac4d54873becc6598f70d0c060e63a3817214

  • Size

    343KB

  • Sample

    220521-blk2lacag4

  • MD5

    4f4e5d926b14eaa82824b3655fb75b0b

  • SHA1

    e0b2362bc434e27224d2bc4700b4073fcb7223d3

  • SHA256

    fe1e12e4d258ee81553219aba85ac4d54873becc6598f70d0c060e63a3817214

  • SHA512

    66acd991241fed542b10068dd31d58b4e66849613a49860e7711c4ab141ed28d649209405e073c26037f441df50cb1adb954ad64462175d00008cfccb8bab638

Score
10/10
formbookq5epersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q5e

Decoy

2177.ltd

thanxiety.com

max-width.com

fixti.net

mostmaj.com

mobilteknolojiuzmani.com

historyannals.com

wheelchairmotion.com

mossandmoonstonestudio.com

kastellifournis.com

axokey.net

peekl.com

metsteeshirt.com

abcfinancial-inc.com

btxrsp.com

amydh.com

ccoauthority.com

lumacorretora.com

kimfelixrealtor.com

iconext.biz

Targets

    • Target

      RFQ #005460.exe

    • Size

      480KB

    • MD5

      34eea69edb6613e5544b9c169ddb2b18

    • SHA1

      852d1c8303c6f8f14c0ac2ada3db5b2452828766

    • SHA256

      67919ae47a37d6ee2dab5c3899fdd83f293f06f5678aab8c7219e497f74690ec

    • SHA512

      c1239ad2d5f716af4c3c36fab93aa75b69f2fe4026e281f95048ea838261d3c2e140cb62280f089b0f8c6028eef8eb6ed8e599d61dccdc712ef8f8ed6c0d1750

    Score
    10/10
    formbookq5epersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks