Overview

overview

10

Static

static

Scan0186460022.exe

windows7_x64

10

Scan0186460022.exe

windows10-2004_x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Scan0186460022.exe

  • Size

    28KB

  • Sample

    220324-dqbptsgafk

  • MD5

    4fcb4c25f8c90512688e83cdc8daf8b3

  • SHA1

    256bb873dcfa16fade3e911cb348b217df8b389f

  • SHA256

    1668071dae27e79c5de1abc1d04e278ce9ffe980fd36fa194e9d32ab00ac6831

  • SHA512

    f6544e3212c721d93d631dc9b9d367080383bc9b036cf1fd7a4cccf5c53b6c6118d922607aee109f28a4c3342bc0763791c968f4b721a2774c7ba800b68fc70e

Score
10/10
formbookoh75persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oh75

Decoy

denizgidam.com

6cc06.com

charlottewaldburgzeil.com

medijanus.com

qingdaoyiersan.com

datcabilgisayar.xyz

111439d.com

xn--1ruo40k.com

wu6enxwcx5h3.xyz

vnscloud.net

brtka.xyz

showztime.com

promocoesdedezenbro.com

wokpy.com

chnowuk.online

rockshotscafe.com

pelrjy.com

nato-riness.com

feixiang-chem.com

thcoinexchange.com

Targets

    • Target

      Scan0186460022.exe

    • Size

      28KB

    • MD5

      4fcb4c25f8c90512688e83cdc8daf8b3

    • SHA1

      256bb873dcfa16fade3e911cb348b217df8b389f

    • SHA256

      1668071dae27e79c5de1abc1d04e278ce9ffe980fd36fa194e9d32ab00ac6831

    • SHA512

      f6544e3212c721d93d631dc9b9d367080383bc9b036cf1fd7a4cccf5c53b6c6118d922607aee109f28a4c3342bc0763791c968f4b721a2774c7ba800b68fc70e

    Score
    10/10
    formbookoh75persistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook Payload

      rat

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks