Overview

overview

10

Static

static

Bfahzwldvw...yt.exe

windows7-x64

1

Bfahzwldvw...yt.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Bfahzwldvwhwwrtwdszaobzdwphritceyt.exe

  • Size

    762KB

  • Sample

    220811-jqaqesehc9

  • MD5

    3f459e0b263c7ed71559eb0f326b5733

  • SHA1

    f079e61f2783cd548d9f3dc7f177c10c73dfa39a

  • SHA256

    6a147da6ac0eec13aeaf08e385f27f58132562980c1ff628f4a4dc98ed70e202

  • SHA512

    3c146dc604065a9902329dd10b10d39e17c09079fb0d0689a3eca87ed04a9be9957116b4c05d824c2093408e6222c1203aa8182e1eee79c42eeb0f450dd63211

Score
10/10
formbookmodiloadero2e7persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o2e7

Decoy

genvivwink.com

paramotos.space

bolsanoir.com

techblog.asia

seophreak.com

agitationt.net

jenniferlearmontcelebrant.com

biggsales.space

barkerprintsolutions.com

jesuspatriot.com

clinicaamadeolosmochis.com

lowbackpaindecoded.com

mumbaimasjid.com

masooliflourmillers.com

incopetent.com

andresramosweb.com

betonamubukkyoshinjakai.com

pukimail.net

erohlimitcrown.site

bodogegarden.com

Targets

    • Target

      Bfahzwldvwhwwrtwdszaobzdwphritceyt.exe

    • Size

      762KB

    • MD5

      3f459e0b263c7ed71559eb0f326b5733

    • SHA1

      f079e61f2783cd548d9f3dc7f177c10c73dfa39a

    • SHA256

      6a147da6ac0eec13aeaf08e385f27f58132562980c1ff628f4a4dc98ed70e202

    • SHA512

      3c146dc604065a9902329dd10b10d39e17c09079fb0d0689a3eca87ed04a9be9957116b4c05d824c2093408e6222c1203aa8182e1eee79c42eeb0f450dd63211

    Score
    10/10
    formbookmodiloadero2e7persistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

      trojanmodiloader

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks