Overview

overview

10

Static

static

PO##435426...df.exe

windows7_x64

10

PO##435426...df.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    a49faa221eca9dddac32e17773b35fa4e3f9c34c3869d27bf9776e281be3b28c

  • Size

    298KB

  • Sample

    220521-xkwycsbhh4

  • MD5

    3589e399dfd18f86f328160d15059c86

  • SHA1

    b7fb7bd3482b8ee2a8313a65df68049b83d6679b

  • SHA256

    a49faa221eca9dddac32e17773b35fa4e3f9c34c3869d27bf9776e281be3b28c

  • SHA512

    660419feb76766f30fc117736befd95b7aa97cc1b126715297b9705348facf1d8f0e59ec206cd070d9f8a5caac1162b03c01fed790e44d083368cc23fbde9fed

Score
10/10
formbooktnkpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tnk

Decoy

lafioletto.com

mgiuj.com

wolllafvixzies.win

wwwsbvip123.com

nadyaasnae.com

noticesinvoice2017.com

intercapati.com

tg8895.com

9245654874.com

lytsxc.info

rffuf3-liquidwebsites.com

verguet.com

peinturefleursetfemmes.com

xttmrama.com

cryptoinvestmentideas.com

kikumasacarparts.win

freeapk1.com

tasteofimagination.com

gxzyoa.com

cq-mingwei.com

Targets

    • Target

      PO##4354267813...pdf.exe

    • Size

      336KB

    • MD5

      c5fb3b2e9f90517e533c327808e3dc2d

    • SHA1

      2a36c1413dc4276c3c1f57cf392f93285380a93a

    • SHA256

      112b6fe2084ca3501c8a98a9cd90f60ce691a438864be736b049062379195818

    • SHA512

      eb254fd0b9577f382b3b29d999a0f43e1643e85aeca13fd0887eadf33a77a116612c739297e90f6b0aadb392e5aefa1a435b9bf6443e7c21acc62c3a88c38054

    Score
    10/10
    formbooktnkpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Adds policy Run key to start application

      persistence

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks