Overview

overview

10

Static

static

stud.exe

windows7_x64

10

stud.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8b32a471a19e78217ba94e7663567c3b1b1d86090df2febfb00bc2bd76b1e66a

  • Size

    465KB

  • Sample

    220521-mzqpsafhbp

  • MD5

    8db140849e3c8d9b212671d45702096c

  • SHA1

    5989545dc4ba8c40d450948ad68cbad820a4b2bd

  • SHA256

    8b32a471a19e78217ba94e7663567c3b1b1d86090df2febfb00bc2bd76b1e66a

  • SHA512

    f565d6e1bb09b2213c8f8770e89fc8f1527bc87c0a1f674e384061ce810a7527c53714ca70c06871369497b6e0cbd508e49212cb7791393ce2f77e042935c864

Score
10/10
formbookasa2persistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

asa2

Decoy

kznbf.info

dl-today.com

jiucai1688.com

makrobet508.com

xjyyjx.com

xn--riqq15a1oh5j5a.com

ecotrait.com

668opebet.com

lucyloveboutique.com

suddenslim.com

mettsing.com

0pe816.com

expressionsofebony.com

ripleychurchofchrist.com

cwinterim.com

qilu129.com

enoteca17.com

itbpolice.com

shoulderworkmassage.com

02lh.com

Targets

    • Target

      stud.exe

    • Size

      755KB

    • MD5

      6044900d66376321ad6f237d1b465ecc

    • SHA1

      0147db0583256b648680a54573b288f9167cca67

    • SHA256

      9099123ab27c467c09e2483339756820e29e6d8cd3d0346305d3873902e4af65

    • SHA512

      03fdca6dfdccc2a17abbfb42adfb5a89a5e2a32b9929efde0689da17967db406dd55f057162d2324605254c354130c8b73077fa9bc4bf23053878ffc5f239076

    Score
    10/10
    formbookasa2ratspywarestealertrojanpersistencesuricata

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks