Overview

overview

10

Static

static

RFQ_TMZ14062020.exe

windows7_x64

10

RFQ_TMZ14062020.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    15ac04ec28d56ae025739eb61733b091ce0c6ea9498eca607c07e2f71c702df1

  • Size

    194KB

  • Sample

    220521-mmfdaafbdq

  • MD5

    4c14e5f104fe6a299773d4b4399c91c9

  • SHA1

    7e1e41e7e29a66c20263c1508b822b2c7675af6a

  • SHA256

    15ac04ec28d56ae025739eb61733b091ce0c6ea9498eca607c07e2f71c702df1

  • SHA512

    86843e971de5031e57ff1638283171197f00afaa632a6c225c7bc3d39475ee7c620e47957ef5e8259a7a30525ba8499c8d5c969283ff9aebd7bfa593401f3049

Score
10/10
formbookb0ypersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b0y

Decoy

studiokopa.net

captaindoggo.net

project-woodwork.com

lasvegaskosher.com

elionimali.com

cozystylekobe.com

baiyizhao.com

djaimevargas.com

getshop.today

chikkadee.com

historicnortherncolorado.com

artofbrandstorytelling.com

robinsonscommunitiesph.com

petfriendlyrentals.net

dolphinsdragonsanddinsoaurs.com

phucquangphat.com

charitydigitalnetworks.com

czhuiyue.com

thetripletwomethod.com

harvestexcitementonline.info

Targets

    • Target

      RFQ_TMZ14062020.exe

    • Size

      242KB

    • MD5

      051b8c8e6d62b265a1486098755c8f92

    • SHA1

      0c4d1555f68e60702fdecd2a5efe9f92b6fc9852

    • SHA256

      e667a864a89ee23cf61430baa3eafd40ce829dbb6b4ae31ef7a65f645cf13d2c

    • SHA512

      40a7e97d3cf117e92a5e676927f46eaf9f22f4a96ad4d66d8fba56fab563d1ef6e4761fecf038ea62c13d760e86bba787b9a80aa870312d202a2ed12a4a29356

    Score
    10/10
    formbookb0yratspywarestealersuricatatrojanpersistence

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks