General

  • Target

    Lista comenzii noi.zip

  • Size

    391KB

  • Sample

    220523-nfwblagdar

  • MD5

    59a1dc21aaa34d5720611f3eb8e27d3a

  • SHA1

    a8f852342a661ebb9eee0f13c12465ec9321217b

  • SHA256

    89515b25558b282451e372b49676640eaaf6a8fa7fa3cdf78f26cb1b12f9d53b

  • SHA512

    df6f992d93e57f1a25bc89a96d560d9d00a12438e1ea258e801bf05e65a0f3738f3a11de5294eca9405036c332dba0ffd2172f60b43473de1fcd8e1a292a80c8

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

videohm.com

panache-rose.com

alnooncars-kw.com

trueblue2u.com

brussels-cafe.com

ip2c.net

influenzerr.com

rbcoq.com

zzful.com

drainthe.com

sumaholesson.com

cursosaprovados.com

genotecinc.com

dbrulhart.com

theapiarystudios.com

kensyu-kan.com

dkku88.com

tikhyper.com

aztecnort.com

homebrim.com

Targets

    • Target

      Lista comenzii noi.exe

    • Size

      787KB

    • MD5

      ef2691e1db3c1e637f0008ed1e62e23e

    • SHA1

      896ec16b45e4c21116345e30a27d6984d9305ad2

    • SHA256

      fc866730cf97ee41044b8de33c540342c1f378952cbf988cac7ab6ba205c4cba

    • SHA512

      e37d280395b79e10bc880492de72815789032377e520e19b51ac91c2a04b9560163c005e40dcae2d7dcb4f567762b4c8315e85f95aa1c6a9d6774d47daf9778c

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Formbook Payload

    • ModiLoader Second Stage

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Tasks