Overview

overview

10

Static

static

LIST OF PR...if.exe

windows7_x64

10

LIST OF PR...if.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dcd73db429860f4bc7129bb0a18fac90b153c23708a5f51799d37d67cc1c0397

  • Size

    286KB

  • Sample

    220521-pr2s7abbbq

  • MD5

    026fb7b4b0e9b4af2fe861f3885f1a2a

  • SHA1

    d7d736afeb73fa81f98ce86b83491709273d434a

  • SHA256

    dcd73db429860f4bc7129bb0a18fac90b153c23708a5f51799d37d67cc1c0397

  • SHA512

    b73ca8865c13785115b6fcd6f02e3044c3f22fcc261ba58152ad836c5510ebcece95a04b1a6184e0855423296fc8528037564c8b6400fc7d860b6df4432c0f1f

Score
10/10
formbookoil4persistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oil4

Decoy

beautytrends.store

artthon.com

notimemanifesto.com

myhallrewards.com

paradiseholidaysindore.com

merahputihclub.com

jualmobilmurahtoyota.com

b-engineer.studio

pisf.net

lwhy.ltd

pastorbiodun.com

villagewalkresales.com

huakang-data.com

ilovebatidoras.com

rongqigangban.net

lakeventsnz.com

beslfs.info

yannabez.tech

panigalev4.net

wmfuture.com

Targets

    • Target

      LIST OF PRODUCTS AND SPECIFICATIONS.pif.exe

    • Size

      353KB

    • MD5

      0edbbf75ef9d721e2fa0f253ea04e240

    • SHA1

      23bfdfc2350d21972cdee329ff96813c14488d6a

    • SHA256

      d33a10ceda8ca53c008f216420f52ff2371705f69803603b688e1fbf3bd1b13d

    • SHA512

      c66ec95d11efcf3a54da2588e9b2e6f084df5af505ba16c29d300d9e274784383c36a4776c672e056e85b15aef28f9ee49711c552e9796547e526057f098853e

    Score
    10/10
    formbookoil4ratspywarestealertrojanpersistencesuricata

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks