Overview

overview

10

Static

static

opTrJaglOqdy9oE.exe

windows7_x64

10

opTrJaglOqdy9oE.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6c0726019c69676d072d2680a142cbe4d194b8b9cd61fa7833b54e0f6dce299a

  • Size

    407KB

  • Sample

    220521-nddc1agfbn

  • MD5

    34dbe410cb043fe58d8bd5d0f0c08ef8

  • SHA1

    8df0e73710e95830f6d17dab713d314e146e9272

  • SHA256

    6c0726019c69676d072d2680a142cbe4d194b8b9cd61fa7833b54e0f6dce299a

  • SHA512

    1f2df8a886af340a92fd6001fa5208f3c2f9f04cbc9ae6929539c154debf6fee3c2e239d73c99dc38934b561e936d0df6a8cc76bdb2556b4671420ac03031171

Score
10/10
formbookaq3xratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

aq3x

Decoy

atinderellastory.com

transylvaniawanderlust.com

b9x1muhzjm4.biz

questmfgtech.net

globalsmartcoin.com

wine-worldtour.com

boerauto.com

lovelybakingco.com

mosikito.com

valorea-immobilier.com

szts168.net

emarkage.com

extraordinarylivingstore.com

ihatehunger.com

animoji.zone

robocovers.com

refengmo.com

beckomedia.com

rifitumab.com

vfatgroup.com

Targets

    • Target

      opTrJaglOqdy9oE.exe

    • Size

      553KB

    • MD5

      ed5ff25257d74b36a35c3a171dd754cc

    • SHA1

      238a3737b3458e3ad2dcef135e9086f6be65811b

    • SHA256

      a8534e310ee42756cfc01caf1eeddc8f4bca6e7e7f36de1a90f5c6ccc480e90a

    • SHA512

      5f262537948b58769264dc896a2defd7d5a982e01ed7c7e3be12647e861a0c119e166e50b776be315015d66c5425183eac78094dc38fc41cab319f38fe91a00a

    Score
    10/10
    formbookaq3xratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Command-Line Interface

1
T1059

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks