General

  • Target

    2cea867ece0089b2bdb51424e81d2f9bd31c80f5c3910fa17bce6c7a36eaed66

  • Size

    396KB

  • Sample

    220521-xhfhlabgc8

  • MD5

    6d254b56f45f05c290a88d0308accf84

  • SHA1

    626f1dbaea39422e92793f49eef0733611f70a3b

  • SHA256

    2cea867ece0089b2bdb51424e81d2f9bd31c80f5c3910fa17bce6c7a36eaed66

  • SHA512

    3656a0c9bceb7e11e2881389d5ca39b9a0d7dacb274cdea844c463574d0307b1dbbac4a6a2c558ab6f5ae245be1140ac0177bc187332be076a02524f5a65dd93

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

5x9

Decoy

leolarice.com

dldkys.com

pomponnextdoor.com

bandhenvironmentalservices.net

deli-jewelry.info

eo57.com

ymmggsy.com

lelefamilys.com

genizarohorses.com

wingedwhalemedia.com

taoxinwz.com

bestspanearme.net

1q7five.loan

badou28.com

a-ztreeservice.net

edfwebspace.com

haha688.net

thepathtowellbeing.com

theresetcoach.com

redeyesg.com

Targets

    • Target

      S-19799C.exe

    • Size

      633KB

    • MD5

      d7bd3e606c11ebcf2262604c19538bcf

    • SHA1

      2e25f74cfc2acbe56592888237270d8f6f6df50d

    • SHA256

      55c852b0c762e30f96e7948cd2db3f940f8a18714f4c8146775d65e53f9fd385

    • SHA512

      8b5873e50dd6f8a899f723881705cb8187730caeeb1d9432deacf90a77b950dc6104c64bdeaa66dd98c20c0ac70c0a9e2a8f4042ce406ed77961a4820d431d5d

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Formbook Payload

    • Adds policy Run key to start application

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Collection

Data from Local System

1
T1005

Tasks