Overview

overview

10

Static

static

order SEP.exe

windows7_x64

10

order SEP.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    365876fb9df710d6479e62ba3e5d95e524018c5fa0a37ccf9f674ff23dc6fb9d

  • Size

    316KB

  • Sample

    220521-dqgk3sgba5

  • MD5

    b2e898c1a6a1aa5d1e88a6df087b06db

  • SHA1

    a1b4152d4351085175720c617324ddd629d295b4

  • SHA256

    365876fb9df710d6479e62ba3e5d95e524018c5fa0a37ccf9f674ff23dc6fb9d

  • SHA512

    42cca2defeb3f30c2bb9b0bca1a3cfbae8e81f08dbf252a70edbc89d3c73c9587fd535d9914d7150554d459b334353ccbf42905f549d6bd379d7a290fb871315

Score
10/10
formbookg8upersistenceratrezer0spywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

g8u

Decoy

stuition.com

mj-sculpture.com

cannatainmentevents.com

dianjintang.com

rmlusitania.info

effet-spiruline.com

flatheme.com

supergaminator-vip.com

craftyourmagic.com

lakai.ltd

electionshawaii.com

iqpdct.com

thebestfourstarhotels.com

satoshiceo.com

saintmartiner.com

brothersmarinetoronto.com

citicoin.online

scentsationalsniffers.com

hellonighbourgameees.com

displayonline-france.com

Targets

    • Target

      order SEP.exe

    • Size

      394KB

    • MD5

      7e17022d4cb372a3a853feedcd918d90

    • SHA1

      ad69c5d385a4d7156c8ff3eeb2379739c53ded02

    • SHA256

      3a7e2e98243c188fbda3734b22856c30febb41d1f7e0ddbc034906288aa72dae

    • SHA512

      0fa20e95892462768517fbacf5df0b62258d9a8f9f5bab521962571b49a9d50353042e48cbf2bc2ff1af300d62adfbe9cf34d3ea4e92eb0b8d090ccbd7c00692

    Score
    10/10
    formbookg8upersistenceratrezer0spywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Adds policy Run key to start application

      persistence

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks