Overview

overview

10

Static

static

9

Payment Co...HS.exe

windows7_x64

10

Payment Co...HS.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8a49f25ba44d858ff27e35a4ff1f2263cb4604dcb7e0f3e7c1d9aa459994a2ae

  • Size

    355KB

  • Sample

    220521-xjqd7afbdl

  • MD5

    4d5d1321bccd2bfafbc68a516ea8c698

  • SHA1

    c9d09c12b0bbc066002c9aee31bbaf45637ea5e7

  • SHA256

    8a49f25ba44d858ff27e35a4ff1f2263cb4604dcb7e0f3e7c1d9aa459994a2ae

  • SHA512

    0a3d0f49145e3f5fba13357d9de07c3ae46f1722be24906911a936f16d826b4b63f59f758c5a7af65a377144bf4e37f9c4893b71bc3cf5d81d71e2d69da9927d

Score
10/10
formbookeb96persistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

eb96

Decoy

mcoutinhoparedes.seat

assestsmagazine.com

giveaway-4skaters.win

upgradetolifestyle.com

imagingnetworkri.net

51wwjf.com

hypstop.com

xn--aupetitsoindescurs-8jd.com

zhijipifu.com

lfqbzx.com

xn--fiqxlo3jzoe6w0e.com

ayhalo.com

rendcarparts.net

speekeesy.com

chillwalle.com

nama-no.com

spidermonkeytattoos.net

leaderhebei.com

syspatch.net

indigrup.com

Targets

    • Target

      Payment Copy H001510WHS.exe

    • Size

      389KB

    • MD5

      f1afc41326ef3fc69d160827fc1cb0d1

    • SHA1

      d274831a7e3f6459e1c07d9c78ae6b39784f2564

    • SHA256

      d31a7e5639e4248f8debe115c8e6cdea00616a2b4a6a6757ea158dbe1c84748a

    • SHA512

      2fb7110523ef1edcffbe9d35d8130585bdb75214c18a71bb7c25bb196370f18f416ec2957a057c7a372ad2d50bfdb4dd35aed53bd290b0d1c63c842fa2c81ce0

    Score
    10/10
    formbookeb96persistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks