2cea867ece0089b2bdb51424e81d2f9bd31c80f5c3910fa17bce6c7a36eaed66

General
Target

2cea867ece0089b2bdb51424e81d2f9bd31c80f5c3910fa17bce6c7a36eaed66

Size

396KB

Sample

220521-xhfhlabgc8

Score
10 /10
MD5

6d254b56f45f05c290a88d0308accf84

SHA1

626f1dbaea39422e92793f49eef0733611f70a3b

SHA256

2cea867ece0089b2bdb51424e81d2f9bd31c80f5c3910fa17bce6c7a36eaed66

SHA512

3656a0c9bceb7e11e2881389d5ca39b9a0d7dacb274cdea844c463574d0307b1dbbac4a6a2c558ab6f5ae245be1140ac0177bc187332be076a02524f5a65dd93

Malware Config

Extracted

Family formbook
Version 3.9
Campaign 5x9
Decoy

leolarice.com

dldkys.com

pomponnextdoor.com

bandhenvironmentalservices.net

deli-jewelry.info

eo57.com

ymmggsy.com

lelefamilys.com

genizarohorses.com

wingedwhalemedia.com

taoxinwz.com

bestspanearme.net

1q7five.loan

badou28.com

a-ztreeservice.net

edfwebspace.com

haha688.net

thepathtowellbeing.com

theresetcoach.com

redeyesg.com

bestsellerstore.net

www648789.com

cittadellebotteghe.online

europeanqualifiers.com

heliocunha.com

themarkofmastery.com

grazefood.com

selenitelampsfortlauderdale.com

hillman-workflowplus.com

goods.ltd

mysticvalleymedia.com

redlinesax.com

raspjam-srm.com

lawrence-co.net

nlpforme.online

deshawarresorts.com

wwwbattlefield.com

anni.codes

spieltrieb.com

curacambada.com

storetrump.review

kahistudios.com

birminghambaby.com

dreamsofstone.com

18thcenturycook.com

luxlilafilm.com

zsg7x1.faith

bieluanjiao.com

dvrquj.men

ultraonl.com

Targets
Target

S-19799C.exe

MD5

d7bd3e606c11ebcf2262604c19538bcf

Filesize

633KB

Score
10/10
SHA1

2e25f74cfc2acbe56592888237270d8f6f6df50d

SHA256

55c852b0c762e30f96e7948cd2db3f940f8a18714f4c8146775d65e53f9fd385

SHA512

8b5873e50dd6f8a899f723881705cb8187730caeeb1d9432deacf90a77b950dc6104c64bdeaa66dd98c20c0ac70c0a9e2a8f4042ce406ed77961a4820d431d5d

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Description

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Tags

  • Formbook Payload

    Tags

  • Adds policy Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Deletes itself

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation