c910b0c026aced55235b98818dce27b57f6a5d55fdc93efa234e9b0aae4eb6fb

General
Target

c910b0c026aced55235b98818dce27b57f6a5d55fdc93efa234e9b0aae4eb6fb

Size

544KB

Sample

220521-xjjawabha6

Score
10 /10
MD5

71764b88119a999d58f295d0a778173d

SHA1

ba0fcc3e05d1843b1f886d6037c39f37ba0a0101

SHA256

c910b0c026aced55235b98818dce27b57f6a5d55fdc93efa234e9b0aae4eb6fb

SHA512

322c3c9bfa77ef5739ccacafdbe44e2f964a8b6d60fde4a0add19b7770396126c421ecbc1e33e92e55daa588391ccaba929f0709b1f397700776cfc675202117

Malware Config

Extracted

Family formbook
Version 4.1
Campaign emh
Decoy

sweetmiya.com

zsyzm.com

carpediem.immo

sparkconfections.com

oliverezechi.net

wearephoenixtraining.com

artistxpressions.com

kesfetmeninkeyfi.com

kasvomaskitnetista.com

mertzlife.com

vcbuild.world

mwessentialcleaningservice.com

fairresale.com

dermot.online

impentri.com

bestsanitizingservice.com

210wscottstj.info

camilafinale.com

pepperhaul.com

centrobiblicomoradasanta.com

brittanyfarmer.com

stencersaintelange.com

filmutam.com

wpierdol.gratis

naturehonest.com

daye5.com

wowyuu.net

dajiangzhibo24.com

768278.com

614express.store

bachelorcourses.com

lys0op.xyz

engineerspost.com

acsn.xyz

ymavispa.com

cubicalmonks.com

phoenixacademys.com

cathywardphotography.com

tomhoge.com

mejorescontigo.com

sorchaashe.com

789yyhh.com

teamborisgaming.com

browngirlfinances.com

container-bnb.com

literarypantry.com

mikageisi.com

mcallistersgiftsandcrafts.com

cobaehorizabita.com

patriotremodelingservices.com

Targets
Target

RFQ_august.exe

MD5

f5bf9905ff7c573695fe1e53a1338e5c

Filesize

756KB

Score
10/10
SHA1

1d531327f162c4bb844f42694fe5da4f95dc9510

SHA256

e6ef5385235001a8743ac0ee83f839abdd66abed79cff1429020270168bd9357

SHA512

f382aa021ee9ece8ea92fda10391bb540b11f9c172f76c85745b12169de1d9aec0edd8a9649d6033edf5c049c98ff00f6b605b604482d1b25cf343536edba17e

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Formbook Payload

    Tags

  • Adds policy Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Deletes itself

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Exfiltration
      Impact
        Initial Access
          Lateral Movement
            Privilege Escalation