Overview

overview

10

Static

static

Purchase O...nt.exe

windows7_x64

10

Purchase O...nt.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dcb50eb4e606d1db5f3438f67dd8f02a0113eda8319e602bbb7dbaec55a28f3c

  • Size

    236KB

  • Sample

    220521-ny6kaaech8

  • MD5

    0fb952bd7d74a69ac56acdc0fb4c9b16

  • SHA1

    abd505039744cc8e2878cadbe076f4da67f4968d

  • SHA256

    dcb50eb4e606d1db5f3438f67dd8f02a0113eda8319e602bbb7dbaec55a28f3c

  • SHA512

    fb42235f64da8120982379582e5d5af426157ce518fbc38526a5bf119bde711affa7b15512506dba9e7d659deb7dd9a7d64067dd63d567392ef18842eff085fe

Score
10/10
formbooky22persistenceratrezer0spywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

y22

Decoy

hashafriyat.com

autoaccessorieshub.com

simelautomazioni.com

bulkappothecary.com

streaminglowcost.com

pixelraps.com

yyy9928.com

pigmansion.net

keyunix.com

bjbangshou.com

mindfulrace.com

fibuv.life

cambridgedesignpartnership.com

plumbeus.com

somebodydial911.com

atrishq.com

circcountry.com

ellenandjames.info

jeeprevivalstore.com

thetouchofjo.com

Targets

    • Target

      Purchase Order 77809 for acknowledgment.exe

    • Size

      281KB

    • MD5

      48884ebe9169015be3e42f68ad14d7be

    • SHA1

      4c0fe63fe5090ed8ac71f3af10dfc84c9b8b0f5e

    • SHA256

      b36d0b4952457c89f455f2333a815b0a1d7530a108bf43ea0ef1a7c17fe2774b

    • SHA512

      9258362c161b710264767cb180913c3190c6594961d40d1fdc976babfeeb4494aab31678cc9eb75662bf48e1055c8d62de0c8c9d2f4061e3917afb325c6bc0b4

    Score
    10/10
    formbooky22persistenceratrezer0spywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

      rezer0

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks