Overview

overview

10

Static

static

Astrak Ireland.exe

windows7_x64

10

Astrak Ireland.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7c469d13d8d1bee81f06aa095e9a1c8e9bb2f462c0d0510821aae248e4ad3fa9

  • Size

    493KB

  • Sample

    220521-nrz4xseaf6

  • MD5

    3e1c55fb03d43b2ba561d18d1ef9eb4c

  • SHA1

    6374d7ba09d624ca5190921620dfb47aca0361e6

  • SHA256

    7c469d13d8d1bee81f06aa095e9a1c8e9bb2f462c0d0510821aae248e4ad3fa9

  • SHA512

    81a7ca9ce38120bb4c4c26793a7fcfe435978dc01d087769e934a0e3ca70f445a358b8a0c2de9f794ac653933adda4e56c9eaf170c5ff7f2348c1c894ed9da48

Score
10/10
formbooktefpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tef

Decoy

revolutionaryatthirty.com

archangeltmr.com

110439.info

antarcticvanity.com

facebookmarketplaceimport.com

actibion.com

reallylala.com

stylishbeans.com

sunsethillliving.com

kanbanskills.com

wjxsbszp.com

progettomx.com

visitnaplesgolf.com

consultingwithgt.com

hookthedeals.com

7solarseas.info

perfectformoms.com

studentsforabetterworld.com

zanjv.info

onlineorderpk.com

Targets

    • Target

      Astrak Ireland.exe

    • Size

      660KB

    • MD5

      ad847505a30e1ca3b19c648c2e2fef3d

    • SHA1

      f9c313ce7ca94bfb909cf3c93574e273a997ae98

    • SHA256

      ad0c0d03282b4abf01f435f798fbb71d0243714518f265fc8f102f909822e671

    • SHA512

      31fb21148a8f5010df7c0c2a3691edfc373ab6ff2241b44d0b7dcfe0774e5d21bcd7748b02506c04164593ad4808f7bd38e41cb60cd24fb048521a6dff08b7fe

    Score
    10/10
    formbooktefpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks