Overview

overview

10

Static

static

130003150.exe

windows7_x64

10

130003150.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7df5e3dbbf4aba798bc3fc963731c0c6aa6645301235c72eddb8cd374265ac14

  • Size

    320KB

  • Sample

    220521-n5kamahgfl

  • MD5

    4e57b2683adb0ff4141215d9a06bf57a

  • SHA1

    dbd360c355b16913ac6ce7183073530a561263de

  • SHA256

    7df5e3dbbf4aba798bc3fc963731c0c6aa6645301235c72eddb8cd374265ac14

  • SHA512

    828e540db9847e40bde7921193823bf16235e8ca4dd577e733adce8081e9c83f6c024958b2daceb47169e864d1ef11445e493e3ad558c639bcc5dff76cfb04d1

Score
10/10
formbookotnpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

otn

Decoy

thewoodwideweb.net

broadconnectionpm.com

tuzlametro.net

vjpqdk.info

vietnamtimetravel.com

notice-close-n217.online

verif22-mail999-pymts76.com

bestgreenhouseplan.com

brangain.top

cukaapelbragg.com

stileincucina.com

veloflambe.com

virtualsupportservicesllc.com

smpl.site

mezo.ltd

incidenciasarty.com

everglamp.com

theflowerfarmplanner.com

oasis-base.net

jnrhsh.com

Targets

    • Target

      130003150.exe

    • Size

      393KB

    • MD5

      4300f14f031e8a4330a8c56894b22fca

    • SHA1

      b83b39f1a587ff6697c94a08da1c3db857a13a4c

    • SHA256

      e65997e20f521c8eee713623c45c9600a7a05629c85d73c9dd2bdf696f43e5de

    • SHA512

      572c9e11d862a28f2d8fea4c3cf62d18350d04cecff7eda36730efa593d0daf1c9fb94e15547d2e8ec1bb5736d53a3fb586f6cc22aa4c48d33ee806c9088edb9

    Score
    10/10
    formbookotnpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks