General

  • Target

    53230e1e4633bff19359e6ee0490bb5833d44ab87126dcfdbdfe62ddefc54782

  • Size

    284KB

  • Sample

    220521-xld4yafcdp

  • MD5

    6c2cfd10c3b631e11fa589430d278017

  • SHA1

    95fe744b9c7b4577660739fe7ebdb0acbb1ea2b9

  • SHA256

    53230e1e4633bff19359e6ee0490bb5833d44ab87126dcfdbdfe62ddefc54782

  • SHA512

    5f62eb7543a5c62223087ee602087ec3528279386715cc069e41b84376e4525d2aae519a6cdcc8a32ab29c6c72fa4fea811564fdace0f787ff71bc1e886a6e29

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

p07

Decoy

sgemlakdunyasi.net

xn--emhendis-75a.net

apptracker.tech

bb4h.com

izzyesq.com

adsum.digital

phylliselago.com

sellyourlistings.com

tjtdyy.com

w5ydhp.info

neurolat.info

sosecretoccultandconcealed.com

eastmount.biz

vonhiemer.com

chelseatowercondos.com

intarconnect.com

someoneask.com

knightsnorth.com

tthxlxs.com

darakandassociates.com

Targets

    • Target

      tq9604oy0Xa6q6L.exe

    • Size

      335KB

    • MD5

      82dd8a6c5f49f0dcff5c10e62571a3c7

    • SHA1

      d4fc14325a4a3ca7fb259bbdd95ae15ee47081c1

    • SHA256

      8fcc3e95c54613cec5176ad7aabc3a5d498fb608d825f98a087ce6784fdad992

    • SHA512

      bf8cbb7befa5ab3a2716634548c118dbdd7db9e4f150a48918488272e76977480acf1d3e7059216c6fbd55859a31debb08f2d2c1d8f6d5eca9989aa4fe9d0355

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Formbook Payload

    • ReZer0 packer

      Detects ReZer0, a packer with multiple versions used in various campaigns.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks