Overview

overview

10

Static

static

9

ORDER-#4536 ,pdf.exe

windows7_x64

10

ORDER-#4536 ,pdf.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    880da923f8772e14298ecf7dc1d8008a5b3ec594faa09121b14a3b5764006584

  • Size

    313KB

  • Sample

    220521-pawwlsehf6

  • MD5

    86fbd99fc4e7ca9003e8a14c879ec642

  • SHA1

    7a3af7f2f7036a4f2497f3e8b78e1d8132805e0d

  • SHA256

    880da923f8772e14298ecf7dc1d8008a5b3ec594faa09121b14a3b5764006584

  • SHA512

    e5accc929ca5c224678b705d72ea5c1201ee68d453d2ece40a4289abd480a109ed1f5b82e5e8da3d2cc8dd1d146dda813a643e8baa839c5dcfaca7dbc3ce3a05

Score
10/10
formbooktepersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

te

Decoy

165whc.info

qdbfqfphjidqgtbttnq.com

theforceforsakens.com

septsix.com

meinnatura.com

markcici.com

rh-tv.com

yangzhie288.com

crystalent.biz

ipearlvoyager.com

depositvoucher.accountant

xn--g5ty9lgeu39hdrv5sm.com

newitemof.info

bombkitty.com

lewesdelawarerealestate.com

9c1nine.loan

ramrajindustries.com

standardpitbullpups.com

gentlestitches.com

dotruckbig.live

Targets

    • Target

      ORDER-#4536 ,pdf.exe

    • Size

      504KB

    • MD5

      6a094a17412972fa961de3851585c5d9

    • SHA1

      d4c4f6f3dd9c59fad99b4a419b3b30f1b7c4bb15

    • SHA256

      50f8d8b5cbbad3f2a1d4a25b84553ba285f49318ab3dbb8d436b6709582997e8

    • SHA512

      6e05941dd561baaa89e74a7461247b5e83e3adab5e0ad6d26e796e8422ebc6fa617c0c8461cb97801e65693de50adc18b138c067d0a01a8b1c83567fff1740ba

    Score
    10/10
    formbooktepersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks