02b4d21a4dcfe793027cc1be224d94f5334fff82ac52248a3e44aba68666978d

General
Target

02b4d21a4dcfe793027cc1be224d94f5334fff82ac52248a3e44aba68666978d

Size

199KB

Sample

220521-xlr1sscac8

Score
10 /10
MD5

12e0e4ff2d88c07589c90c8e2fd5438f

SHA1

311c177ee8913ead940718182b9f33ada6634dc9

SHA256

02b4d21a4dcfe793027cc1be224d94f5334fff82ac52248a3e44aba68666978d

SHA512

7ad9daf173996eae303f610fe14c86c1b1a10edb1f78c88c963d876c6fe06f6ae9c331b7c89ef9f2b7e40734136d8ed3ddfd9d0c9ebe57b29ecb70feeed81cf3

Malware Config

Extracted

Family formbook
Version 3.9
Campaign uw7
Decoy

casa-miquela.com

phongcach8.com

tvdefrance.net

vipeorfresh.com

litsp.net

9dj2-ycg.biz

3157allen.com

newidea.site

merchandiserod.com

blueictbd.com

151manbetx.com

roehallwedding.com

huaruiju.com

sparkjoywithshannon.com

massif.biz

ochrebridge.com

r6t9.com

fuuvomoogmusic.net

perfectpawsdoggyboutique.com

nst-nri.com

dailyoldham.com

bsmithfotohaus.com

yueashitang.com

luisamorim.com

info-plastic.com

corporatelegallv.com

tableted-conalias.com

qiyefalv.net

ekdai.group

breakfasthelicopter.com

thefoodnerd.net

blmediasolutions.net

biasino.com

6199cccc.com

morgou.com

wellthywarrior.com

xn--slverdkm-tkb.com

aghanim-invest.com

sira.ltd

unitedthroughvalor.com

nvleaf.com

cloudnvr.net

devorius.com

minnsthings.com

eg9b23n-eqj.com

fashionchicmur.com

hfcjgd.com

sflandinc.com

cryptorawr.com

rustylimbs.com

Targets
Target

new.exe

MD5

a88e4bd1e3507132fcdd28f38a6751f7

Filesize

268KB

Score
10/10
SHA1

26e3eed8ee5b0e18cc401ed88b73b287c8ad8de7

SHA256

7527530d28c88ea0850926a24ba050a4a77983fb8271309c749ba43e7b10c695

SHA512

657b6c77d0d72945293978df4dc4bae3fb722978be866ddfe0ceb3fa6c604ed9c27ef516a77f159cc98dd577fb4a042fcf8c9406912f7985a8d5e8b3587682ae

Tags

Signatures

  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

    Tags

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Formbook Payload

    Tags

  • Adds policy Run key to start application

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Deletes itself

  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Maps connected drives based on registry

    Description

    Disk information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery
  • Suspicious use of SetThreadContext

Related Tasks

MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation