Overview

overview

10

Static

static

BANK_STA.exe

windows7_x64

10

BANK_STA.exe

windows10-2004_x64

6

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f7ecfaeac5396a71dfb3d37217125df96e854c2920da7d474184145445f13896

  • Size

    1.2MB

  • Sample

    220521-pradyafha6

  • MD5

    fd26a83ec3b8bee5f6bb778b98a47629

  • SHA1

    ab83ea20dc54304d755cfd874510129ccbeb0bae

  • SHA256

    f7ecfaeac5396a71dfb3d37217125df96e854c2920da7d474184145445f13896

  • SHA512

    6748835104acdf26001bfc4b2ea34345070781c5cc770eb3f8f84f07ffd33f40c6610d0ddb4d7224e1e8150c608f80418450300a260d490ca2842286dd8a5147

Score
10/10
formbookhskpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

hsk

Decoy

fastcarsforless.com

motmx.info

mail-identity.info

eurovision360.com

hongmuchuanqi.com

ekamente.com

lifestylechristianityfilms.com

garsongroup.com

vykupujeme-knihy.info

mosqueswatch.com

eiyaw.info

multiexample.win

fastkart.net

thebestviva.com

resellers-store.com

dominobets.com

cluemagz.com

aleshianicole.com

craftsmandeadmiration.com

flossiecrums.com

Targets

    • Target

      BANK_STA.EXE

    • Size

      339KB

    • MD5

      c9b0c4cb22b9f6ca2ba4e65a6ddd3f85

    • SHA1

      1db3cc412c6785f5380dc3dd62d8532b6e306ef6

    • SHA256

      2fdf0daf15395bf89c3baab2efff427dd7026ba306bb5c77c5f5598f5c6eb30f

    • SHA512

      28e7992983db2edea83b57af7e3c1848ccc46ef71db3cf1ba250eba3199cea219df2899090b175f944d7315b949fbe1e876a02690bdf607aba1788a8e9f65f74

    Score
    10/10
    formbookhskpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks