Overview

overview

10

Static

static

Invo458_Signed_.exe

windows7_x64

10

Invo458_Signed_.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c02f34dcea29e7a3b6901cd3e745fbae79e2ab45db6ba28569a5d3994aedde8c

  • Size

    578KB

  • Sample

    220521-m55qwsdba5

  • MD5

    7272844cb5b923da6bd4388d739d0b9e

  • SHA1

    7d44b3242ed77346482f0ab5a7925f527500b413

  • SHA256

    c02f34dcea29e7a3b6901cd3e745fbae79e2ab45db6ba28569a5d3994aedde8c

  • SHA512

    3fe393056acc933b2f9b8da0452fb01c36aa6957ee42fc781293de0c63bdd74c028a552ebc7720e67305d75d6078a2583cb4c2ae1c4648fe503c83e316999c8a

Score
10/10
formbookn8xpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n8x

Decoy

xn--bwwn53bbqc.net

theschooloftheinvisual.net

highseqanalysis.info

fengkuanghanyu.com

myexecutivejourney.com

rfwtje.info

amilcarspencerdemelo.com

cryptodreaming.info

astoundingvogueboutique.com

ytjulin.com

croxventure.com

panstarv.com

fatimahinayet.com

mattyboysparrow.com

dtfftfut.com

y0uhdporno.com

91av5.com

coralchau.com

f98fhr567a.info

aengion.com

Targets

    • Target

      Invo458_Signed_.exe

    • Size

      1.1MB

    • MD5

      386a65d6fb3e5a13d690c20474e6c342

    • SHA1

      3084a0d410b1b1ee0bc5a5308a8f65124b574e56

    • SHA256

      4a5f33710715ce37a266d1848db4599be8ede6fe3f1070aa49b3bcca352f3f46

    • SHA512

      e571e72487787b174c862a26ce03a3736b9f56361e091684f991821924eee2a3941664164f2714ba078cc78e178d69491610d076147f940415ca6027b8f6cea9

    Score
    10/10
    formbookn8xpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks