Overview

overview

10

Static

static

PO_CS009.exe

windows7_x64

10

PO_CS009.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f02b9aaeb8bb7359fdd8fc85f693292d863a481eea4213e066661a35c52087fe

  • Size

    1.2MB

  • Sample

    220521-ngx7ksghar

  • MD5

    3a544925245ef4452fbd234d2e2817eb

  • SHA1

    35c5bf53af4d0b78b9f9b0c0072fb81143669bdc

  • SHA256

    f02b9aaeb8bb7359fdd8fc85f693292d863a481eea4213e066661a35c52087fe

  • SHA512

    ff9aa549e64b7ccff0c7f38109c32e0e37acdf280214c581c7f0fc754fcec8d93dacc76b290e3cb117482fbde90de34245ecc657421fe73b3c92152acad35801

Score
10/10
formbookq5epersistenceratrezer0spywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q5e

Decoy

2177.ltd

thanxiety.com

max-width.com

fixti.net

mostmaj.com

mobilteknolojiuzmani.com

historyannals.com

wheelchairmotion.com

mossandmoonstonestudio.com

kastellifournis.com

axokey.net

peekl.com

metsteeshirt.com

abcfinancial-inc.com

btxrsp.com

amydh.com

ccoauthority.com

lumacorretora.com

kimfelixrealtor.com

iconext.biz

Targets

    • Target

      PO_CS009.EXE

    • Size

      362KB

    • MD5

      08b794da39ef13910c12b15e072c1edd

    • SHA1

      b0e926330b4b67e823c2a12e9b8fa789a1b9291f

    • SHA256

      4092b0f7ea14add16e6f6f35071b074458a19d4550af50a80ed5742cc7046568

    • SHA512

      97822a1eb2197352f67037ec6b3c6cf8b0a54ebac288f84d3a254d1b1af2c53e2a5db4e3a13e91df80d4ce127a033485915e01f47fa0ecd6edd0d778655a0156

    Score
    10/10
    formbookq5epersistenceratrezer0spywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks