Overview

overview

10

Static

static

cae8e977de...68.exe

windows7-x64

10

cae8e977de...68.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568

  • Size

    293KB

  • Sample

    220725-ct89tsbacn

  • MD5

    6f1685cc2b2a642ae65783697ba6e983

  • SHA1

    60cea5318393a8723f150e7fb9ad448489e955c7

  • SHA256

    cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568

  • SHA512

    ddcd2f12e5fd098396787e067a52553ee4709f71c82ad5060a1304841d7498d459814bf104e362f563165f1a8919f9bf352c652adedbffc539618b2ff85ae5f3

Score
10/10
formbookshpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

sh

Decoy

studiogoparty.com

furi-mold.com

cdicoun-tombola.info

elizabethlhall.com

nakayama-hanasai.com

9910pe.com

iraqbreakingnews.com

91fyy.com

intersafetyland.com

dddadditive.com

gewuan.net

ikwxanxb.click

shenghangdianzi.com

nuskinmemory.com

sonrel-julie.com

rapidlegalcenter.com

jcldsp.com

dibamoviez.net

sochuan66.com

platformoneclothing.com

Targets

    • Target

      cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568

    • Size

      293KB

    • MD5

      6f1685cc2b2a642ae65783697ba6e983

    • SHA1

      60cea5318393a8723f150e7fb9ad448489e955c7

    • SHA256

      cae8e977de32b6913c75f8ec8fb052b7fdb3bd293c7e2840df3afc2248e0e568

    • SHA512

      ddcd2f12e5fd098396787e067a52553ee4709f71c82ad5060a1304841d7498d459814bf104e362f563165f1a8919f9bf352c652adedbffc539618b2ff85ae5f3

    Score
    10/10
    formbookshpersistenceratspywarestealersuricatatrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata

    • Formbook payload

      rat

    • Adds policy Run key to start application

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1
T1064

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

2
T1060

Privilege Escalation

Defense Evasion

Modify Registry

3
T1112

Scripting

1
T1064

Credential Access

Credentials in Files

1
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks