General

  • Target

    f613838bee52f12dbcb75ec0e0df49976588c4ad55324e546c1a1bf9b3f0c8c3

  • Size

    392KB

  • Sample

    220521-nzsd2shedq

  • MD5

    8d5e94307d0d2f5c013a918281c57483

  • SHA1

    3fe6317de58a5f9843cf7bf697b0523a34e493a2

  • SHA256

    f613838bee52f12dbcb75ec0e0df49976588c4ad55324e546c1a1bf9b3f0c8c3

  • SHA512

    5f2f0f0bca61103d03c575ddfb768c11d93d5fb59c68e48d003f88207db3ce90180f05c1340ee40d246c8109351fa0e91ef0f7c119492d1e4ca73f7008e2ee46

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

w9z

Decoy

crazzysex.com

hanferd.com

gteesrd.com

bayfrontbabyplace.com

jicuiquan.net

relationshiplink.net

ohchacyberphoto.com

kauegimenes.com

powerful-seldom.com

ketotoken.com

make-money-online-success.com

redgoldcollection.com

hannan-football.com

hamptondc.com

vllii.com

aa8520.com

platform35markethall.com

larozeimmo.com

oligopoly.net

llhak.info

Targets

    • Target

      PO 31287.exe

    • Size

      713KB

    • MD5

      d4d301c9e1554996470078236b71ee3d

    • SHA1

      df42e6511611746e410735758e41dc1d9bed1f97

    • SHA256

      378a7a9a7d15d9a8a477751a956475909953f739d65d92a85d0e7997279c1bd5

    • SHA512

      ca46d025ed7ea28f4e2928a60ff86ac1948016bb774798cb42bbaaa8ff0238ec0210fc717bd1d1e40a63ff8e51bf35b138508b4de5cfd5b03fbefd2fae3b4416

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Formbook Payload

    • Adds policy Run key to start application

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks