Overview

overview

10

Static

static

1

Nowezamwie...df.exe

windows7-x64

10

Nowezamwie...df.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Nowezamwieniezakupupdf.exe

  • Size

    2.0MB

  • Sample

    240912-s3wcbssapd

  • MD5

    0ff53c4fcc6b65dea0d1883564e08808

  • SHA1

    0d7ef9122a9bca045607f8397c476a24fc2c0553

  • SHA256

    39310b37cd28d9a559c63637c4f5e9649cdaef2ccae1269193e141ed50023ae4

  • SHA512

    fb47e6cb7a4686fe03c297881aa699a892785c0a8a1e19128d19215ae4e7df26e795c0fdcc12b9cf45b6ffcdb9def11be13eb1097bf04d20062aa6a1ff073dd8

  • SSDEEP

    49152:ufDe+fmH7RRZ1UW84VCyH+4FAGqnx+lg3jszv8u1mlSCg3:ufDQQsKbq

Score
10/10
formbookgy15credential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy15

Decoy

hairsdeals.today

acob-saaad.buzz

9955.club

gild6222.vip

nline-shopping-56055.bond

lmadulles.top

utemodels.info

ighdd4675.online

nqqkk146.xyz

avasales.online

ortas-de-madeira.today

haad.xyz

races-dental-splints-15439.bond

hilohcreekpemf.online

rrivalgetaways.info

orktoday-2507-02-sap.click

eceriyayinlari.xyz

lsurfer.click

aston-saaae.buzz

etrot.pro

Targets

    • Target

      Nowezamwieniezakupupdf.exe

    • Size

      2.0MB

    • MD5

      0ff53c4fcc6b65dea0d1883564e08808

    • SHA1

      0d7ef9122a9bca045607f8397c476a24fc2c0553

    • SHA256

      39310b37cd28d9a559c63637c4f5e9649cdaef2ccae1269193e141ed50023ae4

    • SHA512

      fb47e6cb7a4686fe03c297881aa699a892785c0a8a1e19128d19215ae4e7df26e795c0fdcc12b9cf45b6ffcdb9def11be13eb1097bf04d20062aa6a1ff073dd8

    • SSDEEP

      49152:ufDe+fmH7RRZ1UW84VCyH+4FAGqnx+lg3jszv8u1mlSCg3:ufDQQsKbq

    Score
    10/10
    formbookgy15credential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Formbook payload

      rat

    • Adds policy Run key to start application

      persistence

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

3
T1112

Scripting

1
T1064

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks