Overview

overview

10

Static

static

80d967b707...86.exe

windows7_x64

10

80d967b707...86.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    80d967b707bb161f63ea1f4dd4b18ca3bea87e5ccc1ecfbbafe1ce251eaf2386

  • Size

    548KB

  • Sample

    220706-r5ab7sgaa9

  • MD5

    52b4ab184953eb0206a26c7b6da611f9

  • SHA1

    3efe986b907a864ea964fcf82a428dd36ef01b40

  • SHA256

    80d967b707bb161f63ea1f4dd4b18ca3bea87e5ccc1ecfbbafe1ce251eaf2386

  • SHA512

    edc5200e160898142f436ba8403247501e9c7e0e98a7876797c0e0d3dfc1bcd9cfb5656fd44007c7d5b5ab9aa1ef2550df1d8e677c2d53082dd4b92b404e6a60

Score
10/10
formbookde08ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

de08

Decoy

retirecloudyyard.com

fabiyan.xyz

chrisarlyde.com

selapex.com

vivalosgales.com

specialty-medicine.com

contasesolucoes.com

satunusanews.net

allyibc.com

alameda1876.com

artofdala.com

yukoidusp.xyz

steeldrumbandnearme.com

stonewedgetechnology.com

kentonai.com

macquarie-private.com

ddgwy.com

megagreenhousekits.com

descomplicaomarketing.com

inclusiverealtor.com

Targets

    • Target

      80d967b707bb161f63ea1f4dd4b18ca3bea87e5ccc1ecfbbafe1ce251eaf2386

    • Size

      548KB

    • MD5

      52b4ab184953eb0206a26c7b6da611f9

    • SHA1

      3efe986b907a864ea964fcf82a428dd36ef01b40

    • SHA256

      80d967b707bb161f63ea1f4dd4b18ca3bea87e5ccc1ecfbbafe1ce251eaf2386

    • SHA512

      edc5200e160898142f436ba8403247501e9c7e0e98a7876797c0e0d3dfc1bcd9cfb5656fd44007c7d5b5ab9aa1ef2550df1d8e677c2d53082dd4b92b404e6a60

    Score
    10/10
    formbookde08ratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • Formbook Payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks