Overview

overview

10

Static

static

PO..exe

windows7_x64

PO..exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    54dfdea0cb31caccae921efb93d0a8ecae8e0dd28d7454b059b255c0b898f03f

  • Size

    403KB

  • Sample

    220521-nb1eraddf2

  • MD5

    0ad1df65b49269bf154873e8639c2b80

  • SHA1

    099ab828a9dd942d9bb7e778415844022048c72f

  • SHA256

    54dfdea0cb31caccae921efb93d0a8ecae8e0dd28d7454b059b255c0b898f03f

  • SHA512

    c0ceca96d0ec9d403bedf108bb42acbd10c4ab46bdbc8180cb6b4b4821c157fcdb64306ba581ef30380f920373ec69f3baf3d21befca8de7ee932267e16bc5ed

Score
10/10
formbookg82persistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g82

Decoy

hqeknj.men

keboku.com

westofbroadway.net

trustbetween.com

alpa-dachbeschichtung.com

korea-kone.com

akira-fukui.com

bikehire.net

stabilizedliquidoxyen.com

thepigeonpea.com

myilene.life

classroomclosets.com

albergodellasalute.com

propiedadesok.com

gannettinsights.com

marie-rae.com

essentalgems.com

appicot.com

lupinpaints.com

jizhehua.com

Targets

    • Target

      PO..exe

    • Size

      561KB

    • MD5

      f860643dd91d5ce1673b9ad9e33c97b6

    • SHA1

      9fca8d58fb45dbf7b1ef7c6f0a8f992de4a61e83

    • SHA256

      7eb341c011c4ea364ef927cfc57ac980111e9c49012834c3760896fec7f04d52

    • SHA512

      396bc6fcd0d0c28875aba8991f7e8c3e5c1f7507fb360d3fe026382893ca46fd286939fc79122bb090afc9aa2eda257fe58444a4a5b4abd0dd80617fdffd69f0

    Score
    10/10
    formbookg82persistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks