7a89819406800bfa110d3caa0750c54a3fdfd6e2f48b1e236671ce18983517d6

General
Target

7a89819406800bfa110d3caa0750c54a3fdfd6e2f48b1e236671ce18983517d6

Size

513KB

Sample

220521-xjrx1sbhb8

Score
10 /10
MD5

921b3241b24e44fd80dc0f5d476adc08

SHA1

491727164424d38afa6d057d6733bf4878ce816a

SHA256

7a89819406800bfa110d3caa0750c54a3fdfd6e2f48b1e236671ce18983517d6

SHA512

512a6b6a9f7be9ca9dc052690d19685ff382b68ff8900bc8f7c9a1601b7aab958381ff65824317cd0199112fc1441b50f3fbd37f60a2087f1c780133baf2a890

Malware Config

Extracted

Family formbook
Version 4.1
Campaign bnc
Decoy

saltoasischarleston.com

gor.digital

oneserviceplace.com

ivcfte.info

grasshopperveteran.com

tblacklist.com

noahandvincent.com

bbbmorris.com

coralvillerealestate.info

rjprime.info

smilehdapp.com

texas.kitchen

lifeofbeautifulchaos.com

myfittedfurniture.com

mobiledealsnetwork.com

ateliermusicapiano.com

568027.com

johnmeanwell.com

uneggsing.com

chengshuai88.com

bb9c0clr1.online

ru5hmotorsport.com

massiveplain.com

onyxzoe.com

1k4onehot.men

quantumfingerprint.com

davidkellysounds.com

e-healinghub.com

youaremydestinyth.com

835man.com

iixiah.com

clusterdatacenter.net

comoeducarumfilho.com

heloatfotografia.com

glaucon.net

driverlesspickups.com

conquisteshop.com

estatesdevelopers.com

2ndbeats.com

rustycedarfarm.net

burnsindustrial.net

tictactocchomedey.com

sinanzhiyou.com

blueflamecollection.net

seitai-yuuki.com

dclawnsva.com

vilamouraimmobilier.com

creativa-image.com

funnelsunderground.com

bilaraby.net

Targets
Target

UPDTED PAYMENT DETAILS 948998849-909N.exe

MD5

6d8a6794412d626d13bccfbcebda900f

Filesize

661KB

Score
10/10
SHA1

466ae37bb340ce9ffca60cf8758cde8af08bd077

SHA256

dd2e99f4c8b2909221d9cddcae2aa9c5ce4e343cd4ed8e5fa7113e639412ef7f

SHA512

de7d7f7290dd4f65ae5954d29b41e6f1bbf78e17142d1287645d8a9cd3ddb3b520a8c782b1846a1f010636512431c289f4917a99dc1bc80b2059130aacd1c25a

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Formbook Payload

    Tags

  • Adds policy Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation