Overview

overview

10

Static

static

swift copy.exe

windows7_x64

10

swift copy.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    35db64bb80ae718b8b9950b4403bd9137635d327bef811d0a20d1e51e6880116

  • Size

    429KB

  • Sample

    220521-ns1rvaeah7

  • MD5

    690d69d79901644d01a52492a49886dc

  • SHA1

    b9450470be4b384ef5ca1f09bb39a6d21365f38d

  • SHA256

    35db64bb80ae718b8b9950b4403bd9137635d327bef811d0a20d1e51e6880116

  • SHA512

    9c2f4b4cdf81fe1ab7323a9ca845d3b5ba1ae30c228f1c1a8238c3992a6d7d714bbdb07747f1a67e54491dd4ea351a47fd49330f2449e27f5823040e1f436ffd

Score
10/10
formbookb1vpersistenceratrezer0spywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

b1v

Decoy

regaloscoletivos.com

bedavasiteler.com

gutbrod-helfer.com

lfp1979.com

qtgermany.net

clevelandwebsitesolutions.com

clssport.com

mercurydrivers.com

fair1financial.com

danieleragatzu.com

airstrats.com

willowporch.com

qeampfdb.com

apexjoy.com

hortifloral.com

timessquarebagelburgers.com

jryasb.info

voicetalent.online

fgzwq.com

btobtoyz.com

Targets

    • Target

      swift copy.exe

    • Size

      573KB

    • MD5

      51ed5644fa60ea88173be008966c2c1d

    • SHA1

      e73015b1433639e1a2be19d26b6a5a3b8b39dfc2

    • SHA256

      eddcaacc8947b326dd6998c90175846c76375ee953074668354ac72dba27ffdf

    • SHA512

      b64bcfd74a38f372c687935590624d31d759df1e913d082e490c025797f00c50f4fa2dbf961a888196f2d151f175bec6227105a6ac372071a696608a710c7c97

    Score
    10/10
    formbookb1vpersistenceratrezer0spywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Adds policy Run key to start application

      persistence

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks