Overview

overview

10

Static

static

USD 87700,000.exe

windows7_x64

10

USD 87700,000.exe

windows10-2004_x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d3135a8df1547e8ebd4b0bd048f3e4d0e5e6c0fe2f99b90b80f09a17be4cb364

  • Size

    549KB

  • Sample

    220521-nvc4kaebe4

  • MD5

    f2f49b8cea58408e80b277a20d1f02ff

  • SHA1

    6b84d638b4619bff67b3077c11900b8318daf1c3

  • SHA256

    d3135a8df1547e8ebd4b0bd048f3e4d0e5e6c0fe2f99b90b80f09a17be4cb364

  • SHA512

    2d8b79452a6fe5d75a4cb157e0bfd360b7ad4b0c87f3cb799ee2b9f6d2b2a5d2a7a749f670b9c0e4f15d0458b71f5afc2f29d4ff2726ebc85bdd0162c74f3dbe

Score
10/10
formbookn7akpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

audereventur.com

huro14.com

wwwjinsha155.com

antiquevendor.com

samuraisoulfood.net

traffic4updates.download

hypersarv.com

rapport-happy-wedding.com

rokutechnosupport.online

allworljob.com

hanaleedossmann.com

kauai-marathon.com

bepbosch.com

kangen-international.com

zoneshopemenowz.com

belviderewrestling.com

ipllink.com

sellingforcreators.com

wwwswty6655.com

qtumboa.com

Targets

    • Target

      USD 87700,000.exe

    • Size

      1.1MB

    • MD5

      818f7516f05f3031b20c0300649e5c01

    • SHA1

      1529ab8f997fd8010d2b43d920cd7eec1a18e126

    • SHA256

      35bb2187c8bcf8921677dc34a4a3bf7f33144c97370346f4ff616c82a2e278b5

    • SHA512

      8cd2fe02936797a20dc1f22a502e27ff5d2e8679386252c47c0a3a6dccec01c87b91c92adf227378898e0946c1d67d0733011df179d81874308dd52455c3c14d

    Score
    10/10
    formbookn7akpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks