Overview

overview

10

Static

static

3

Shipment details.exe

windows7-x64

10

Shipment details.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    58ad5809679780f2881abbfd2f71a065_JaffaCakes118

  • Size

    215KB

  • Sample

    240519-fqfpwsbg58

  • MD5

    58ad5809679780f2881abbfd2f71a065

  • SHA1

    9d2a0f17a427fac59f688ab230e47c38b59d70a3

  • SHA256

    1e6c099087c8a69c5f047ac1d9c8939fa5d41bbe5ac08ad4a4ae17789f988baf

  • SHA512

    6859aa05d8a9af051c246903322b713b6b33b66c7763e86cf43a3b7c5725fde5457174f7b1c146be5e6bab72f7730bf851bb8de664d021693cbca4a697d850d6

  • SSDEEP

    6144:Q5HbE76Po2crYnxmR0Yndm5YNoQPX/pSeOTTVT/:aHS50nQ905GoSX5ApT/

Score
10/10
formbookuzpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.7

Campaign

uz

Decoy

cryptofintech.biz

medicinadador.com

xn--w1y2qt9iinqbmhmkn.com

taylorraehaupt.com

kezhai.top

usadevfun.com

micklekids.com

zitxrp.men

blchrs.com

specifichealthy.com

jzdfxy.com

jisheng0536.com

kybosystems.com

zgbtdzh.com

momsdrycleanerservice.com

choigaidep3.net

shunyiweiye.com

techmicale.com

aiarely.info

antbohol.com

Targets

    • Target

      Shipment details.iso

    • Size

      272KB

    • MD5

      3cd78dd1d589491459b6e90fdb38eecd

    • SHA1

      56f24ebba94d3b28a564cb237f1d770567a141e7

    • SHA256

      63b8a8aac85edd637c8cfe100dd59b63e9c53586b15ef5a7898152e3aa34ce88

    • SHA512

      984bdf2a39e75ec7b4139f3cf61045b9102226fd8d5bdb879693ac601a0766293627349a5fcee63701fc891d1e4825186dcba1d4a6748b638c3617c750caba25

    • SSDEEP

      6144:JwwhwyeV4xYkxBcgzm4dcsLGK1JcNqv5pYHRy9UXyi6lPZ:J0atxBaAFHCqw89UCZlPZ

    Score
    10/10
    formbookuzratspywarestealertrojanpersistence

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Adds policy Run key to start application

      persistence

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks