Overview

overview

10

Static

static

5

MTM2019-2 ...SG.exe

windows7-x64

10

MTM2019-2 ...SG.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5939356c2c0aad4e9fdcf3ee9ee412f4_JaffaCakes118

  • Size

    750KB

  • Sample

    240519-h8abyagd2w

  • MD5

    5939356c2c0aad4e9fdcf3ee9ee412f4

  • SHA1

    5fbb5cea57afa1dc97afdab98d399fba70cc7e14

  • SHA256

    51b6e66830ed3c735e61530f8d1d22773a0fe7ee4c3548e46785492378ffc93d

  • SHA512

    628f926c1177796480666cd82ee754e4a0b9d670ad29d2f7e44eb1af241f0b2b22be7d26d912b01bad7064f7431a1e4bb3f3ca390298db26baa31e11c7d9e87d

  • SSDEEP

    12288:GF0wFQtr2hf4pz2McEwmXHeAsmZfL9tGwyd2GSt9x33POb1BRUEjGkEH:gNuw9e2MzXHFdZjC4f3fOb3jG

Score
10/10
formbookbipersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

bi

Decoy

paulmeehanart.com

east-parker.com

brenttitcomb.com

joannaoon.com

pufrzgl.com

jconscomml.com

alyssafergusonart.com

yuperspective.com

sheseed.com

soicausieuchuan102.com

facexl.com

greenmountainpwc.com

perthbusinessclass.com

gerpling24.com

frbzf.com

netsycosmetics.co.uk

qiulen.com

connecticutstudent.loan

mclellansautomotive.net

kaifanghuashi.com

Targets

    • Target

      MTM2019-2 ph12 RESG.exe

    • Size

      1.6MB

    • MD5

      ca6397f8234b085dbffcd71872910163

    • SHA1

      aed7c39031d764e25c5758a3c276144cee36a131

    • SHA256

      cd4b7cfc524a98551a90fccc7110e52fcce550152cf1ad1017fba87c68faab1d

    • SHA512

      6221ddef49a594636f172335e01328d99d75aa2974c9935d10d244504e810682c61b63ea7db94425b89a1302947e597a50ec8444a607d72434e631532f90820a

    • SSDEEP

      24576:+AHnh+eWsN3skA4RV1Hom2KXMmHa2uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuyCSbY:ph+ZkldoPK8Yajl0

    Score
    10/10
    formbookbiratspywarestealertrojanpersistence

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Adds policy Run key to start application

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks