General

  • Target

    5b8a341d18803152d2be2af3313830091764943deaad2e391907c0b23e521e50

  • Size

    271KB

  • Sample

    220521-plbd2sagak

  • MD5

    9baaf843b51d81dcaf87703cc309adb1

  • SHA1

    acca45c245832d041dbcb6b67c93fc623a3a9533

  • SHA256

    5b8a341d18803152d2be2af3313830091764943deaad2e391907c0b23e521e50

  • SHA512

    70822a0e72d2a13f753a75003749481e93de26a88496dcd7a0796b9de18c4f9e29c9c5b86d8ab6f66b80b98b203259992dab21c7a3f6d9a5a71037767f0b412e

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

g8u

Decoy

stuition.com

mj-sculpture.com

cannatainmentevents.com

dianjintang.com

rmlusitania.info

effet-spiruline.com

flatheme.com

supergaminator-vip.com

craftyourmagic.com

lakai.ltd

electionshawaii.com

iqpdct.com

thebestfourstarhotels.com

satoshiceo.com

saintmartiner.com

brothersmarinetoronto.com

citicoin.online

scentsationalsniffers.com

hellonighbourgameees.com

displayonline-france.com

Targets

    • Target

      Salary.exe

    • Size

      301KB

    • MD5

      cddc72c9292768f8719c1e5127a9997d

    • SHA1

      5ae294116d27d67b2c3cee4b0b1b79ecbd25d582

    • SHA256

      f3f3cda95f4d655f189381268676beef7ab70ed8355ff178abcad416c71adb22

    • SHA512

      240c7a82c7b848f59aef3e09c01eca8d97c853ae7bf1270dea844835876019d8ee9eac83c5d7bc2ad56bdddd8853c6877a3a5c79ec0ba504eb4e8cb1200a49c1

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Formbook Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Adds policy Run key to start application

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks