Overview

overview

10

Static

static

RFQ and Pu...A..exe

windows7_x64

10

RFQ and Pu...A..exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1746f63fe3b4b47c452d7321cec1abc493000042daf190fc09059451e9290dbb

  • Size

    293KB

  • Sample

    220521-pbl3ssfaa5

  • MD5

    3fc8d9c79e6a2130c4da392b42b64d4b

  • SHA1

    d9d60c87434186161df08e4b0bd1a1d051f32494

  • SHA256

    1746f63fe3b4b47c452d7321cec1abc493000042daf190fc09059451e9290dbb

  • SHA512

    677c5fde2c901410a02c33e794cdee8925d4a57e312c43d8dad95c2c9ef7e6b237ee672de3625777cf0dd6738fc067de499e9c70d91e2dd6634357f959b50dc3

Score
10/10
formbookwrezpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wrez

Decoy

living-teu.com

buyemerilairfryer360.com

locagames.com

seaworldeg.com

dokushostation.com

nethange.com

lendreview.com

officerdownapparel.info

pandora.store

yuanchuang.kim

kevinimage.win

littleinkings.com

ggluav61.com

fsylkzfkm.download

skansch.reisen

yahunjuij.com

enming.top

wwwha55188.com

russischesvisazentrum.info

document7.com

Targets

    • Target

      RFQ and Purchase Order 060920A..exe

    • Size

      378KB

    • MD5

      7f97fe13229e97475a0454942646a562

    • SHA1

      d0c150fc54a75e97a1bd54833a826b6bc294c177

    • SHA256

      b84f164b86250eaee07153f4665af8826f0e934ba80e505ae37ead324f53b971

    • SHA512

      870912c5988a4547720393518b3721386bc60724d70bbfc2445ca098475171f332c4b092993d6bea980bd76c2d22bae6b5501555736278469b0936e94ed442b3

    Score
    10/10
    formbookwrezratspywarestealertrojanpersistencesuricata

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks