Overview

overview

10

Static

static

1

SteamSetup.exe

windows7-x64

6

SteamSetup.exe

windows10-2004-x64

6

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

$PLUGINSDI...ss.dll

windows7-x64

3

$PLUGINSDI...ss.dll

windows10-2004-x64

3

Steam.exe

windows7-x64

4

Steam.exe

windows10-2004-x64

5

bin/SteamService.exe

windows7-x64

1

bin/SteamService.exe

windows10-2004-x64

1

uninstall.exe

windows7-x64

4

uninstall.exe

windows10-2004-x64

4

$PLUGINSDI...LL.dll

windows7-x64

3

$PLUGINSDI...LL.dll

windows10-2004-x64

3

$PLUGINSDI...nk.dll

windows7-x64

3

$PLUGINSDI...nk.dll

windows10-2004-x64

3

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SteamSetup.exe

  • Size

    2.3MB

  • Sample

    250205-mbbwqasjhx

  • MD5

    1b54b70beef8eb240db31718e8f7eb5d

  • SHA1

    da5995070737ec655824c92622333c489eb6bce4

  • SHA256

    7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

  • SHA512

    fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

  • SSDEEP

    49152:UDP/q9MIX/crfcNVBaXp1m0zyVCMwBHgFzoZhRP8:kC9MI8Hm0GCjgFc3Rk

Score
10/10
formbookgurcua01dcollectiondiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a01d

Decoy

eniorshousing05.shop

rywisevas.biz

4726.pizza

itchen-design-42093.bond

3456.tech

4825.plus

nlinecraps.xyz

itamins-52836.bond

nfluencer-marketing-40442.bond

nline-advertising-58573.bond

rautogroups.net

limbtrip.net

oftware-download-14501.bond

nline-advertising-66733.bond

erity.xyz

xknrksi.icu

x-ist.club

yber-security-26409.bond

oincatch.xyz

onitoring-devices-34077.bond

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7640909551:AAGr64V1_buwzMrphxWr0zMKzK8B2OBPSL0/sendDocument?chat_id=5884046747&caption=Admin%20/%20Passwords%20/%20181.215.176.8

Targets

    • Target

      SteamSetup.exe

    • Size

      2.3MB

    • MD5

      1b54b70beef8eb240db31718e8f7eb5d

    • SHA1

      da5995070737ec655824c92622333c489eb6bce4

    • SHA256

      7d3654531c32d941b8cae81c4137fc542172bfa9635f169cb392f245a0a12bcb

    • SHA512

      fda935694d0652dab3f1017faaf95781a300b420739e0f9d46b53ce07d592a4cfa536524989e2fc9f83602d315259817638a89c4e27da709aada5d1360b717eb

    • SSDEEP

      49152:UDP/q9MIX/crfcNVBaXp1m0zyVCMwBHgFzoZhRP8:kC9MI8Hm0GCjgFc3Rk

    Score
    6/10
    discoverypersistence

    • Adds Run key to start application

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral1behavioral2

    • Target

      $PLUGINSDIR/StdUtils.dll

    • Size

      110KB

    • MD5

      db11ab4828b429a987e7682e495c1810

    • SHA1

      29c2c2069c4975c90789dc6d3677b4b650196561

    • SHA256

      c602c44a4d4088dbf5a659f36ba1c3a9d81f8367577de0cb940c0b8afee5c376

    • SHA512

      460d1ccfc0d7180eae4e6f1a326d175fec78a7d6014447a9a79b6df501fa05cd4bd90f8f7a85b7b6a4610e2fa7059e30ae6e17bc828d370e5750de9b40b9ae88

    • SSDEEP

      1536:cyy+HcFWrX52XWcS15c4DBVOw/bEQvWt6uouMw5m0mhdBu4NpBTvO7Fvo6mVS6oz:fy+8ozImcSNd1YHbMbCk/S

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      $PLUGINSDIR/System.dll

    • Size

      22KB

    • MD5

      a36fbe922ffac9cd85a845d7a813f391

    • SHA1

      f656a613a723cc1b449034d73551b4fcdf0dcf1a

    • SHA256

      fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

    • SHA512

      1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

    • SSDEEP

      384:V8QIl975eXqlWBrz7YLOlE/NyQH38E9VF6IYinAM+oZ5a1TN:VgPgrfYLO+rMEpYinAMxZG

    Score
    3/10
    discovery
    behavioral5behavioral6

    • Target

      $PLUGINSDIR/nsDialogs.dll

    • Size

      20KB

    • MD5

      4e5bc4458afa770636f2806ee0a1e999

    • SHA1

      76dcc64af867526f776ab9225e7f4fe076487765

    • SHA256

      91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

    • SHA512

      b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

    • SSDEEP

      384:ABSzm+t18pZ0WAg0RhIFgnGNyQH38E9VF6IYinAM+oZfNRoZk:NupZ/Ag0/T8MEpYinAMxZ7oW

    Score
    10/10
    discoveryformbookgurcua01dcollectionexecutionpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Gurcu family

      gurcu

    • Gurcu, WhiteSnake

      Gurcu aka WhiteSnake is a malware stealer written in C#.

      stealergurcu

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Accesses Microsoft Outlook profiles

      collection

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral7behavioral8

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      17KB

    • MD5

      2095af18c696968208315d4328a2b7fe

    • SHA1

      b1b0e70c03724b2941e92c5098cc1fc0f2b51568

    • SHA256

      3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

    • SHA512

      60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

    • SSDEEP

      384:PbGgezxEqoyGgmkNFNyQH38E9VF6IYinAM+oZhc3iMy8:T31yGLkbMEpYinAMxZAy8

    Score
    3/10
    discovery
    behavioral10behavioral9

    • Target

      $PLUGINSDIR/nsProcess.dll

    • Size

      15KB

    • MD5

      08072dc900ca0626e8c079b2c5bcfcf3

    • SHA1

      35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

    • SHA256

      bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

    • SHA512

      8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

    • SSDEEP

      192:WUl64IGsjDNyQDbnPvy2sE9jBF6IYiYF8pA5K+oZ7W76OCwy9GUe:5ZsNyQH38E9VF6IYinAM+oZYsBe

    Score
    3/10
    discovery
    behavioral11behavioral12

    • Target

      Steam.exe

    • Size

      4.2MB

    • MD5

      33bcb1c8975a4063a134a72803e0ca16

    • SHA1

      ed7a4e6e66511bb8b3e32cbfb5557ebcb4082b65

    • SHA256

      12222b0908eb69581985f7e04aa6240e928fb08aa5a3ec36acae3440633c9eb1

    • SHA512

      13f3a7d6215bb4837ea0a1a9c5ba06a985e0c80979c25cfb526a390d71a15d1737c0290a899f4705c2749982c9f6c9007c1751fef1a97b12db529b2f33c97b49

    • SSDEEP

      98304:7JeV/ztZBe91oiImuUiK9N9EGQKF9lSHbr7aw:1S/hwkmg4EpbrOw

    Score
    5/10
    discovery

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    behavioral13behavioral14

    • Target

      bin/SteamService.exe

    • Size

      2.5MB

    • MD5

      ba0ea9249da4ab8f62432617489ae5a6

    • SHA1

      d8873c5dcb6e128c39cf0c423b502821343659a7

    • SHA256

      ce177dc8cf42513ff819c7b8597c7be290f9e98632a34ecd868dc76003421f0d

    • SHA512

      52958d55b03e1ddc69afc2f1a02f7813199e4b3bf114514c438ab4d10d5ca83b865ba6090550951c0a43b666c6728304009572212444a27a3f5184663f4b0b8b

    • SSDEEP

      49152:G+v+Y6iR3Gdcw/9I4AEZvvxYtP6iJ6aFmDJRicyM/wHH1sc:G+v+YbGiwV9AEZvW0iJRma

    Score
    1/10
    behavioral15behavioral16

    • Target

      uninstall.exe

    • Size

      155KB

    • MD5

      32109e2aac377fa07b849f4f4033edc5

    • SHA1

      a7b87a221744fb2e36327be0a34c17b7d734c47f

    • SHA256

      72ffe8859eaa63637f5a62b7c454241db35938f8326f6ccf20352e00f8df2fe5

    • SHA512

      688d9b51060d84c4e2dd0ddbb20d43bbc8bf93a903f26e855f546335bd7a5c9ef5c6f888dff35d379cbb1d782c5e231b33831b7272cde2b40c2d7fc2b85ffc0d

    • SSDEEP

      3072:iIAe+3aJpgWXTBuq/JFONM2cZ6iKowuq12ApG3s/6:izB+pgURJFOS21iQ5i+6

    Score
    4/10
    discovery
    behavioral17behavioral18

    • Target

      $PLUGINSDIR/LangDLL.dll

    • Size

      16KB

    • MD5

      46ba3881f8b27f54a8d92d600e61ee7b

    • SHA1

      15933b6ece85a6d45fd78ae499b445a3bc6d2d05

    • SHA256

      4fca692a36f0c99e26b5bc7ef9db5269d2c1e21288184953898130fea9b1c4fc

    • SHA512

      6f64d3cb4634ed51710f578667b92a429aa871a0a141092df3cf7e0134a0b145f802f91126f1ce43ddb4b9d6cc6fb875c9acec22eab0cec86a72dd916e1f9eb3

    • SSDEEP

      384:kTrZBV86AQINyQH38E9VF6IYinAM+oZtfpMVK:kXZL86A1MEpYinAMxZ5aK

    Score
    3/10
    discovery
    behavioral19behavioral20

    • Target

      $PLUGINSDIR/ShellLink.dll

    • Size

      15KB

    • MD5

      130e29fa7dc68393d3ef12fa5fe876b9

    • SHA1

      54d3b821df8f42e26698f0cf99bca5d2e6aa080e

    • SHA256

      eae7829a3df5d8d63e16787f7c3d5ae4b82b3b79c2cd7aad9c2532374b6ea522

    • SHA512

      56dbae0e1918ed50c99a863304544d5d31925c62d4ebfd7244d67f909c353ee4160b081b43832cf33f1048f998431ba14270600de512dc6c853a17dd524df317

    • SSDEEP

      384:Ld7JQGYNyQH38E9VF6IYinAM+oZiDzQ06:LgVMEpYinAMxZqzB6

    Score
    3/10
    discovery
    behavioral21behavioral22

    • Target

      $PLUGINSDIR/nsExec.dll

    • Size

      17KB

    • MD5

      2095af18c696968208315d4328a2b7fe

    • SHA1

      b1b0e70c03724b2941e92c5098cc1fc0f2b51568

    • SHA256

      3e2399ae5ce16dd69f7e2c71d928cf54a1024afced8155f1fd663a3e123d9226

    • SHA512

      60105dfb1cd60b4048bd7b367969f36ed6bd29f92488ba8cfa862e31942fd529cbc58e8b0c738d91d8bef07c5902ce334e36c66eae1bfe104b44a159b5615ae5

    • SSDEEP

      384:PbGgezxEqoyGgmkNFNyQH38E9VF6IYinAM+oZhc3iMy8:T31yGLkbMEpYinAMxZAy8

    Score
    3/10
    discovery
    behavioral23behavioral24

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

1
T1120

Query Registry

6
T1012

Remote System Discovery

1
T1018

System Information Discovery

5
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Data from Local System

1
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Tasks

static1

Score
1/10

behavioral1

discoverypersistence
Score
6/10

behavioral2

discoverypersistence
Score
6/10

behavioral3

discovery
Score
3/10

behavioral4

discovery
Score
3/10

behavioral5

discovery
Score
3/10

behavioral6

discovery
Score
3/10

behavioral7

discovery
Score
3/10

behavioral8

formbookgurcua01dcollectiondiscoveryexecutionpersistenceratspywarestealertrojan
Score
10/10

behavioral9

discovery
Score
3/10

behavioral10

discovery
Score
3/10

behavioral11

discovery
Score
3/10

behavioral12

discovery
Score
3/10

behavioral13

discovery
Score
4/10

behavioral14

discovery
Score
5/10

behavioral15

Score
1/10

behavioral16

Score
1/10

behavioral17

discovery
Score
4/10

behavioral18

discovery
Score
4/10

behavioral19

discovery
Score
3/10

behavioral20

discovery
Score
3/10

behavioral21

discovery
Score
3/10

behavioral22

discovery
Score
3/10

behavioral23

discovery
Score
3/10

behavioral24

discovery
Score
3/10