Overview

overview

10

Static

static

August PO.exe

windows7_x64

10

August PO.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8a91915f32ed87bb6018a8c8feb3775531e4139f89d05bb28f1bf9ba93b1624f

  • Size

    409KB

  • Sample

    220521-nbrgvadde4

  • MD5

    4e40b87de03efe2379211eea7f9dafa5

  • SHA1

    2e11150709111ffaec5d05b6f2d8f91ec1617a9f

  • SHA256

    8a91915f32ed87bb6018a8c8feb3775531e4139f89d05bb28f1bf9ba93b1624f

  • SHA512

    724feb2da8425f5182ed71b2a9179f5d2ec08469d4a146565914e2a97c740c9495a7721f5614922b4b2d7a62b5ab9ac0ca55d45bb9075c9f4bcaa48267fb5c4e

Score
10/10
formbookg82persistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g82

Decoy

hqeknj.men

keboku.com

westofbroadway.net

trustbetween.com

alpa-dachbeschichtung.com

korea-kone.com

akira-fukui.com

bikehire.net

stabilizedliquidoxyen.com

thepigeonpea.com

myilene.life

classroomclosets.com

albergodellasalute.com

propiedadesok.com

gannettinsights.com

marie-rae.com

essentalgems.com

appicot.com

lupinpaints.com

jizhehua.com

Targets

    • Target

      August PO.exe

    • Size

      567KB

    • MD5

      1de6deb3fb735bbc867c39ab0fa605e3

    • SHA1

      d16db5cf8af609e28f2bf6813b8cd8150f4f73b2

    • SHA256

      0bf6ccdd920a50186f7318c51564ecc8f502302b084a5fda3feadb0d51e40f24

    • SHA512

      4a25e6d27bf93ed823c59f4c8c145d5c2e11ba414546cabb22169d028186e3fa27d760718bd48848905c856bf115035d5b384505916c3c091c0bd4d709b8c6e8

    Score
    10/10
    formbookg82ratspywarestealertrojanpersistencesuricata

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks