Overview

overview

10

Static

static

3

REVISED SA...DF.exe

windows7-x64

10

REVISED SA...DF.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_0a940798457e134b2fadd4709c35e76a9499ba49ac295636bd200af9cc9f2b09

  • Size

    543KB

  • Sample

    241230-yf6sfawjbj

  • MD5

    97c1fd058c4a2def8d629f7f1d18608c

  • SHA1

    ec9468d7d8e2d2e49877f430b95d823216f1c1d2

  • SHA256

    0a940798457e134b2fadd4709c35e76a9499ba49ac295636bd200af9cc9f2b09

  • SHA512

    7355d887900f3db66406ebe1e369feca68a0a553cdacdc6f2e9a4b3849dbd168a8900c26d94e0a821d2e83a3df7983b3dba3692d013eb18efe26aa55a9b93627

  • SSDEEP

    12288:ADjpnApeYB8vPIXfqFj3fWLXA1d4qFil+eJqBJUlsBtMUqyZ2:ADdn+Mwuj3fWYCweJqXuudL2

Score
10/10
formbookstgdiscoverypersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

stg

Decoy

kralhandyrepair.com

find-r.net

ranggainn.com

gstv.fan

franklinimarshallboutique.com

q2gx75.com

detroitwingshop.com

quarnteacher.net

magicskydaddy.com

happenutem.com

trinity-safety.net

lovelocalliving.com

deyingmall.com

symbioticenterprise.com

dianahimmelreich.com

portalsemilla.com

girlswhohoop.com

everyonepharmaacademy.com

goimelink.com

kpasanow.com

Targets

    • Target

      REVISED SALES CONTRACT _81773291-4SU _ PDF.bin

    • Size

      645KB

    • MD5

      c3281495a49edbf811f733f22553dc22

    • SHA1

      b0d1a4e2d5301a83e0233079ee98895f6b0ecd53

    • SHA256

      7233b29d1b7129ad7c3466a94f7e608ab6673335dd4654063aab1d0b5422e973

    • SHA512

      91f8eb526b13779529467cc02aa20a1889515682a6968ff97871c8e9a7da2a5518d1d1562d824b7744b65e3e1d235d1c0b5b3ce456c65be6fedfbebe9b70387e

    • SSDEEP

      12288:6cwtKGfPSDKDJwrnixtgw1Na3i/PLa7wTJerx8CHH4WD/Mz4iVQdC:B3GHVJw0tgSsUPLCuJkp7rMzFx

    Score
    10/10
    formbookstgdiscoveryratspywarestealertrojanpersistence

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks