53230e1e4633bff19359e6ee0490bb5833d44ab87126dcfdbdfe62ddefc54782

General
Target

53230e1e4633bff19359e6ee0490bb5833d44ab87126dcfdbdfe62ddefc54782

Size

284KB

Sample

220521-xld4yafcdp

Score
10 /10
MD5

6c2cfd10c3b631e11fa589430d278017

SHA1

95fe744b9c7b4577660739fe7ebdb0acbb1ea2b9

SHA256

53230e1e4633bff19359e6ee0490bb5833d44ab87126dcfdbdfe62ddefc54782

SHA512

5f62eb7543a5c62223087ee602087ec3528279386715cc069e41b84376e4525d2aae519a6cdcc8a32ab29c6c72fa4fea811564fdace0f787ff71bc1e886a6e29

Malware Config

Extracted

Family formbook
Version 4.1
Campaign p07
Decoy

sgemlakdunyasi.net

xn--emhendis-75a.net

apptracker.tech

bb4h.com

izzyesq.com

adsum.digital

phylliselago.com

sellyourlistings.com

tjtdyy.com

w5ydhp.info

neurolat.info

sosecretoccultandconcealed.com

eastmount.biz

vonhiemer.com

chelseatowercondos.com

intarconnect.com

someoneask.com

knightsnorth.com

tthxlxs.com

darakandassociates.com

nfcasia.com

comprartickets.futbol

parangon-patrimoine.com

skeletnclique.com

kingdomfirstcollege-hbiu.biz

skillsbro.com

beauxproverbes.com

emioil.net

fangbianyu.com

oeclx.info

buildboks.com

worldofphotos.com

astcshop.com

digital-today-news.com

devfunking.com

thewrappiez.com

swissspaaward.net

casinos-mansion.net

3z15.com

cy1088.com

safehome-smarthome.com

miesblogi.com

hh9995.com

memphis-restaurant.com

koreansoundscape.com

statelyhomes4sale.com

ystlu.red

wethescraps.com

bigger.plus

freddiebracelet.com

Targets
Target

tq9604oy0Xa6q6L.exe

MD5

82dd8a6c5f49f0dcff5c10e62571a3c7

Filesize

335KB

Score
10/10
SHA1

d4fc14325a4a3ca7fb259bbdd95ae15ee47081c1

SHA256

8fcc3e95c54613cec5176ad7aabc3a5d498fb608d825f98a087ce6784fdad992

SHA512

bf8cbb7befa5ab3a2716634548c118dbdd7db9e4f150a48918488272e76977480acf1d3e7059216c6fbd55859a31debb08f2d2c1d8f6d5eca9989aa4fe9d0355

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Description

    suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    Tags

  • Formbook Payload

    Tags

  • ReZer0 packer

    Description

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    Tags

  • Deletes itself

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Exfiltration
      Impact
        Initial Access
          Lateral Movement
            Privilege Escalation