General

  • Target

    c910b0c026aced55235b98818dce27b57f6a5d55fdc93efa234e9b0aae4eb6fb

  • Size

    544KB

  • Sample

    220521-xjjawabha6

  • MD5

    71764b88119a999d58f295d0a778173d

  • SHA1

    ba0fcc3e05d1843b1f886d6037c39f37ba0a0101

  • SHA256

    c910b0c026aced55235b98818dce27b57f6a5d55fdc93efa234e9b0aae4eb6fb

  • SHA512

    322c3c9bfa77ef5739ccacafdbe44e2f964a8b6d60fde4a0add19b7770396126c421ecbc1e33e92e55daa588391ccaba929f0709b1f397700776cfc675202117

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

emh

Decoy

sweetmiya.com

zsyzm.com

carpediem.immo

sparkconfections.com

oliverezechi.net

wearephoenixtraining.com

artistxpressions.com

kesfetmeninkeyfi.com

kasvomaskitnetista.com

mertzlife.com

vcbuild.world

mwessentialcleaningservice.com

fairresale.com

dermot.online

impentri.com

bestsanitizingservice.com

210wscottstj.info

camilafinale.com

pepperhaul.com

centrobiblicomoradasanta.com

Targets

    • Target

      RFQ_august.exe

    • Size

      756KB

    • MD5

      f5bf9905ff7c573695fe1e53a1338e5c

    • SHA1

      1d531327f162c4bb844f42694fe5da4f95dc9510

    • SHA256

      e6ef5385235001a8743ac0ee83f839abdd66abed79cff1429020270168bd9357

    • SHA512

      f382aa021ee9ece8ea92fda10391bb540b11f9c172f76c85745b12169de1d9aec0edd8a9649d6033edf5c049c98ff00f6b605b604482d1b25cf343536edba17e

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Formbook Payload

    • Adds policy Run key to start application

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

4
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

1
T1005

Tasks