Overview

overview

10

Static

static

GENTECH PR...RY.exe

windows7_x64

10

GENTECH PR...RY.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    52052b4191b4785bd6dc43453882f41dbeb0731111bb2390c33ee30a15ba0bea

  • Size

    331KB

  • Sample

    220521-nwl3vsebh6

  • MD5

    4f7dfc4f45b54a4d4c1a3e9724b353bc

  • SHA1

    5f1877c807b0f5347971ba5a2788493ef362a2c0

  • SHA256

    52052b4191b4785bd6dc43453882f41dbeb0731111bb2390c33ee30a15ba0bea

  • SHA512

    ea811eeedc89edf8acd2a02e554390d8e9d462018fc08618c0f70c5c9e7637a1f60b6779985b2c7ef23c5ea9afba5ae8300cc2738c421c2278cb2a52bd485466

Score
10/10
formbookq5epersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q5e

Decoy

446f58.com

usadealerskills.com

henryandshekera2018.com

51weishan.com

aidlex.com

1t0tenother.men

ucai-inter.com

khelojharkhand.com

scrimvate.com

nlxgz.info

99083311.com

free-space.site

isaiahfernandes.com

atmospherictechnologies.com

posteuphoria.com

cflcinc.com

fafa886.com

bestapps4ever168.download

bpen.ltd

tongtaikeji0427.com

Targets

    • Target

      GENTECH PRODUCT INQUIRY.exe

    • Size

      642KB

    • MD5

      6366b461b56945be4a795ca8bd346ec3

    • SHA1

      d08c5c0188c8bb4e84b41bed78a805cbc0a127de

    • SHA256

      38d4e4ea5e9b15b4d221cc6627a7b088a54964dfe95b49173a45bc5f9177a249

    • SHA512

      dc07e51c460193869514c875cdc5aaa1da59855ebaee8fae5edb44cd4acf35d37190982113fda285c0c7f95fbc5c1c854c13be42d7cad53f46360c0beddd8b82

    Score
    10/10
    formbookq5epersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE Evil Google Drive Download

      suricata: ET MALWARE Evil Google Drive Download

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Adds Run key to start application

      persistence

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks