Overview

overview

10

Static

static

INQUIRY.exe

windows7_x64

10

INQUIRY.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c50d14a3cba28ef65b475833c802e8a9ce51fcefb72a452d8f5daa45a97c1842

  • Size

    484KB

  • Sample

    220521-n5rdyahggn

  • MD5

    6499b551d3c4cb8967b3d5f6570a5217

  • SHA1

    b2daae78d53f08d5bc005ed3f8f613937603bdcd

  • SHA256

    c50d14a3cba28ef65b475833c802e8a9ce51fcefb72a452d8f5daa45a97c1842

  • SHA512

    cc6e2dfb3801d6198ba6b253fd0b17dbe428cf0b012f7a88df35a8bc8c54716fdb0143558acef13fdce32ef09ec96dc318b3b9e29509ef99d812eb7fbee071de

Score
10/10
formbookdthpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dth

Decoy

gallerypiquel.net

960243.com

425sqftart.com

tiedupporn.net

rxmedia.services

carsandjava.com

bannresolar.com

ecowashnh.com

joshuarent.com

kolacabs.com

supps-acc-issue17.net

meilleurs-livres.com

zb-3a-spring.com

gettabs.info

symonha.com

xfl3d.com

blackbrownbrothers.com

travelerecuador.com

cheaperrate.net

zeytinyagciniz.com

Targets

    • Target

      INQUIRY.exe

    • Size

      726KB

    • MD5

      f0c9e48019fa38ed13d89031cd5f2f16

    • SHA1

      18c11a225dd33e64dd7440712c47a8bd9ffc7b66

    • SHA256

      a09022457c7802a48a3f2ef32b8008da65fb4b28b43c8e6ac37c44f0a3ecc028

    • SHA512

      045a3086c55586375d2fd9553034a331cbecc18ece17b2deb6e91f1f1370a2aae3aad1e515a308f1a3eff0d9310ded72ba647fadff78d734c1348608241eec90

    Score
    10/10
    formbookdthpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks