Overview

overview

10

Static

static

order spec...ns.exe

windows7_x64

10

order spec...ns.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    997644d0d16bbb753f8d5058e19aeb1e28d1a8f46f5f0935183baa3c80debcc2

  • Size

    546KB

  • Sample

    220521-nrne5ahbek

  • MD5

    67266e19d606f4ec118109c8735abdc3

  • SHA1

    419ceebe073463fc10336a8eb1c9f93b0a0a9d8c

  • SHA256

    997644d0d16bbb753f8d5058e19aeb1e28d1a8f46f5f0935183baa3c80debcc2

  • SHA512

    9d59e18a600c1567094d6c30776d4ebdf15c9a6dd795762f809adb2eac0ba27971804dc8ebddf4b845462c9ee8e5b35ed9ea58254cbd20e7950ff90b428da650

Score
10/10
formbookkvszpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kvsz

Decoy

okashyns.com

sbsgamedaejeon-two.com

drb77.com

top5dating.com

websprings.online

voizers.com

zenith.site

lahistoriade.com

qv85.com

armandonieto.com

priestvedic.com

jessandjeff.net

magic-desktop.com

jitaji.com

ldmeili.com

yuwanqingmy.com

buzhouorg.com

chaiseloungereviews.com

m2g8way.com

freespin-support.com

Targets

    • Target

      order specifications.exe

    • Size

      657KB

    • MD5

      2c2b342897c2693632051bde77ef39a8

    • SHA1

      f19572d227a440b36d202343b9a6ab20ada5f2b3

    • SHA256

      2ca55ed1af922548fc6abdb7b49386a6d62edd7b6d5609d45f1c369de4fa9269

    • SHA512

      e80f335bef303ebe49279e8035b14d71aaa5c6a79d0b058df5ed22ec5f9d02fe1e59cc0ddd56b1a2e89119b540a61bfcb18dcfef2c47c051a8cbc9d08319a127

    Score
    10/10
    formbookkvszratspywarestealertrojanpersistencesuricata

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks