Overview

overview

10

Static

static

9

Order InQuiry.exe

windows7_x64

10

Order InQuiry.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5dbc56add4738f555a48c4d1e8f9b773421c6881fed842b32c8866943458a17f

  • Size

    268KB

  • Sample

    220521-pw2zrabchp

  • MD5

    a00b302e17a459995db7f6e73335f82e

  • SHA1

    bfba7653638188d6e5f988bda3e253ee38baec26

  • SHA256

    5dbc56add4738f555a48c4d1e8f9b773421c6881fed842b32c8866943458a17f

  • SHA512

    2c50fc5ebde7810e9f64a6d4b14704f75cf34cdd74e633ce2a05696cbb1792f2fd8731cd295d8975105f73f92298587814c03048434d2c8aae78c297b96c624d

Score
10/10
formbookq5epersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q5e

Decoy

2177.ltd

thanxiety.com

max-width.com

fixti.net

mostmaj.com

mobilteknolojiuzmani.com

historyannals.com

wheelchairmotion.com

mossandmoonstonestudio.com

kastellifournis.com

axokey.net

peekl.com

metsteeshirt.com

abcfinancial-inc.com

btxrsp.com

amydh.com

ccoauthority.com

lumacorretora.com

kimfelixrealtor.com

iconext.biz

Targets

    • Target

      Order InQuiry.exe

    • Size

      324KB

    • MD5

      cbf04abfe31536e464fb853fd145a6de

    • SHA1

      696d354f611589cf631371cdade86277ea5dc224

    • SHA256

      e8172cbc3806d750d00a5619e618ffc068b9d8247b5f4da507642e70e32ac3f9

    • SHA512

      2162acf2c67f8abdb8602f5acfa6495c028c9ad3bde95c869efa8445c2fea4c083d6bd6122e0061469fff1dcefb6eec420bc6165257a0ef5e19e855a475d78c1

    Score
    10/10
    formbookq5eratspywarestealertrojanpersistencesuricata

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks