Overview

overview

10

Static

static

shipping d...PL.exe

windows7_x64

10

shipping d...PL.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    3708d82b9036e4414462b672814d74ee55979922ef797c5b3c62a33bccf9b742

  • Size

    226KB

  • Sample

    220521-n9sskaehc3

  • MD5

    9cbe83d969cf909f6b36d69d65d4c232

  • SHA1

    3b045a0644e81fcc0c3ca6af7e0e1fea9c84db53

  • SHA256

    3708d82b9036e4414462b672814d74ee55979922ef797c5b3c62a33bccf9b742

  • SHA512

    5f2dd689bbc5d741960afac961c75869c61d92b53edcdcc984009220073c2ac0df8e25fb9225f0ce0df1e327bfcb5007efabb1536d449ca8813085aceb9fee07

Score
10/10
formbookotnpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

otn

Decoy

thewoodwideweb.net

broadconnectionpm.com

tuzlametro.net

vjpqdk.info

vietnamtimetravel.com

notice-close-n217.online

verif22-mail999-pymts76.com

bestgreenhouseplan.com

brangain.top

cukaapelbragg.com

stileincucina.com

veloflambe.com

virtualsupportservicesllc.com

smpl.site

mezo.ltd

incidenciasarty.com

everglamp.com

theflowerfarmplanner.com

oasis-base.net

jnrhsh.com

Targets

    • Target

      shipping doc, INV+PL.exe

    • Size

      450KB

    • MD5

      88116a99ab38e1da8dac37fdfcdafb66

    • SHA1

      8de0eb24271548b06ee88fc5217530638c74c263

    • SHA256

      2085dc9e13df8584961a5cce08759949521da18b21a364ba52a4e6818f80d610

    • SHA512

      56197bafd5bb177ffd57cc0ffc66c9bfe5ed5d0f3e5288f7afb32281684f94741c831a2890a06dda99e514a19fadc1ee63da65c1888a82bd59102e35b65d5c1d

    Score
    10/10
    formbookotnpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks