General

  • Target

    tmp

  • Size

    298KB

  • Sample

    220616-p44hjshfe2

  • MD5

    e29af60c4ef79bee0553d2fb6e5e45bf

  • SHA1

    621afdcdfdba54a39c17ff294879dcfdb944593e

  • SHA256

    7afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6

  • SHA512

    6b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s3s3

Decoy

tvielotus.com

teesta.xyz

talentrecruitor.com

pamaungipb.com

xn--90ahkh6a6b8b.site

910carolina.com

toyotaecoyouth-dev.com

invetnables.com

gdexc.com

ssw168.com

householdmould.com

mqttradar.xyz

t333c.com

thepausestudio.com

evershedsutherlands.com

asbdataplus.com

preddylilthingz.com

jepwu.com

tvlido.com

artovus.com

Targets

    • Target

      tmp

    • Size

      298KB

    • MD5

      e29af60c4ef79bee0553d2fb6e5e45bf

    • SHA1

      621afdcdfdba54a39c17ff294879dcfdb944593e

    • SHA256

      7afd3634a44e0fac1006ed44b66e67fc4c58704cfcfcbe2266c9f52a3fcccbd6

    • SHA512

      6b1e06f84e16670c444adc4f465d0aab9339dd72f3dca95bed3484ad51556a9879f2ccf87146294011b723b10996fe47ff34a866426037f89c98b1100a0ed611

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Modifies system executable filetype association

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • Formbook Payload

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Change Default File Association

1
T1042

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks