62ea106bcccb1514b2dc55f5ef7e4fd0b9d1b6943f104e719efc53abe4ea6634

General
Target

62ea106bcccb1514b2dc55f5ef7e4fd0b9d1b6943f104e719efc53abe4ea6634

Size

511KB

Sample

220521-xjvnxabhc2

Score
10 /10
MD5

14b803db733bac403f630661535f2d5d

SHA1

2e0b3d4faea71fb933dfe355d789350bc27cb414

SHA256

62ea106bcccb1514b2dc55f5ef7e4fd0b9d1b6943f104e719efc53abe4ea6634

SHA512

49a2f8c4cc6c499d01e8b84084a9b7da1fa43fca780284e20a926c8c1729db200e8c23042e25f151029637951bbdb47e3cdc141f5c5ea8fc94f8a001bb070f48

Malware Config

Extracted

Family formbook
Version 4.1
Campaign kvsz
Decoy

okashyns.com

sbsgamedaejeon-two.com

drb77.com

top5dating.com

websprings.online

voizers.com

zenith.site

lahistoriade.com

qv85.com

armandonieto.com

priestvedic.com

jessandjeff.net

magic-desktop.com

jitaji.com

ldmeili.com

yuwanqingmy.com

buzhouorg.com

chaiseloungereviews.com

m2g8way.com

freespin-support.com

bocapvang.net

315px.com

eugeniobarros.tech

sif.email

xn--oorv2aj6bj7cds0d6p4b.com

polychips.com

grouptulip.win

landbank.site

bet365c.win

inbonz.com

outofthepark.today

jeaniney.com

weeip.com

dmoneylife.com

rticlubs.com

reisedating.com

marijuanadogbone.com

funippon.com

banknotesync.com

alexandre-boissard.com

valorartetattoo.com

savetheverse.com

specificpcshop.online

h0jt1y.accountant

jiqing3.com

alfaranakle.com

saft-store.com

wanderingcollective.com

santandermobi.online

557023.top

Targets
Target

?????? ?? ???????.exe

MD5

203f52c19d874bb4206677f8075c7677

Filesize

662KB

Score
10/10
SHA1

9f0b37d6aa3854442d0336a0a853593f9177ad85

SHA256

cdcf2838549fff5889e730c6acf553d1de2940575da7e75b8aeefb043dc13ac0

SHA512

d44325b203d93fd86bb75eb75e8ebcd7618d4f3997d6179d8103101a054eb5f9f40a5de53dcacb2f12d8c4adfaa7a115fbece2d4431b772cf3d22a9984343c25

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Formbook Payload

    Tags

  • Checks computer location settings

    Description

    Looks up country code configured in the registry, likely geofence.

    TTPs

    Query RegistrySystem Information Discovery
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation