Overview

overview

10

Static

static

MV TBN -Sp...CX.exe

windows7_x64

10

MV TBN -Sp...CX.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b64040919a8c9500cae6c10c5d05fd697e17bcb79a730e754fc2f6381e8620be

  • Size

    640KB

  • Sample

    220521-n1jhjahegn

  • MD5

    6a1e13ee75c68d0a0f10aa275859463f

  • SHA1

    d1d901fa39a9d23d9ef3e431e367f37568fb74e7

  • SHA256

    b64040919a8c9500cae6c10c5d05fd697e17bcb79a730e754fc2f6381e8620be

  • SHA512

    6712f31f8c101c155632581c3c9faf71d98099e7c4d9aab4878590f178974622a5dd8ac41cbccaa52504a3da42999e4edb3fd31ddd4da99596094629ebd3fce3

Score
10/10
formbookhm2persistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

hm2

Decoy

vodu.ltd

arauderghem.net

bluebackpage.com

cheapairmaxsaleclearance.com

soldiersofarts.com

fbservice.info

x9e7x7.info

davidhenkel.com

plantrak.net

66sbleiv.com

cartierringprice.com

roupeiroblog.com

thxcn.com

baboondynasty.win

thecloudm.com

everythingreviews.net

zimmermansales.net

movie.kitchen

im.help

geebzor.com

Targets

    • Target

      MV TBN -Specification and PL-DOCX.exe

    • Size

      1.1MB

    • MD5

      03f9ffea8cc879ec181c918152814554

    • SHA1

      b778b6ef1adf0eeb945b762a2ac99c893e5be5de

    • SHA256

      bca55e158b112f5d776f4402d48cdfaf5ae42b4d8f2e063ac69ba2405bfcc60a

    • SHA512

      642843897a84e82491cfa93f430490e9dcf83622c2c344c4c56f15920081665e716c4771f055aafb3b232ad887242ef0ef0785d1ee97b64efda3360b9f5b1e35

    Score
    10/10
    formbookhm2persistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks