a49faa221eca9dddac32e17773b35fa4e3f9c34c3869d27bf9776e281be3b28c

General
Target

a49faa221eca9dddac32e17773b35fa4e3f9c34c3869d27bf9776e281be3b28c

Size

298KB

Sample

220521-xkwycsbhh4

Score
10 /10
MD5

3589e399dfd18f86f328160d15059c86

SHA1

b7fb7bd3482b8ee2a8313a65df68049b83d6679b

SHA256

a49faa221eca9dddac32e17773b35fa4e3f9c34c3869d27bf9776e281be3b28c

SHA512

660419feb76766f30fc117736befd95b7aa97cc1b126715297b9705348facf1d8f0e59ec206cd070d9f8a5caac1162b03c01fed790e44d083368cc23fbde9fed

Malware Config

Extracted

Family formbook
Version 4.1
Campaign tnk
Decoy

lafioletto.com

mgiuj.com

wolllafvixzies.win

wwwsbvip123.com

nadyaasnae.com

noticesinvoice2017.com

intercapati.com

tg8895.com

9245654874.com

lytsxc.info

rffuf3-liquidwebsites.com

verguet.com

peinturefleursetfemmes.com

xttmrama.com

cryptoinvestmentideas.com

kikumasacarparts.win

freeapk1.com

tasteofimagination.com

gxzyoa.com

cq-mingwei.com

tctczy.com

nafo.ltd

worstcase.store

stockbridgepsychic.com

askmewhat.men

howtobuyabitcoinwallet.com

cataddictshop.com

sauersautorepair.com

godslittlejewels.com

cckkpbqr.com

ludd67671.com

dowzysound.com

groopkhat.com

northfloridavalue.com

xvideosssss.com

cryptocasinoadvisor.com

zen-aromatherapy.com

wevr.ltd

domainhemat.com

choraclechocolate.com

passiveannuity.com

juggernaut.live

marijuanadeveloper.com

yilujiu.com

georgiapsychologists.com

michelegcharrier.com

kn6htm.com

freemporium.com

going-native.com

matrixbathsystems.com

Targets
Target

PO##4354267813...pdf.exe

MD5

c5fb3b2e9f90517e533c327808e3dc2d

Filesize

336KB

Score
10/10
SHA1

2a36c1413dc4276c3c1f57cf392f93285380a93a

SHA256

112b6fe2084ca3501c8a98a9cd90f60ce691a438864be736b049062379195818

SHA512

eb254fd0b9577f382b3b29d999a0f43e1643e85aeca13fd0887eadf33a77a116612c739297e90f6b0aadb392e5aefa1a435b9bf6443e7c21acc62c3a88c38054

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Formbook Payload

    Tags

  • Adds policy Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Deletes itself

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Discovery
      Execution
        Exfiltration
          Impact
            Initial Access
              Lateral Movement
                Privilege Escalation