Overview

overview

10

Static

static

DOC2022091...60.exe

windows7-x64

10

DOC2022091...60.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    DOC20220913-56789098765560.exe

  • Size

    866KB

  • Sample

    220919-dxf8wsabbl

  • MD5

    76a90279d9751835bfe078be3d90f819

  • SHA1

    158ecb15776a0a00da5b10a816277a56adc3aa0a

  • SHA256

    46cebe7371374cfb5e81001a02ea876e69e8ce2605e6c6afa99de8ccb937abb9

  • SHA512

    08c1e08e37d06aa779cec47eb4a1f241d35fc5e59fcf03825bcc836a66f00afe40bbf337750edef72941f51c3bbfd127d73f12df876a7c949a4f7fb1725b6909

  • SSDEEP

    12288:i4xAkdUsXuJ5lZ7vgQOzCLYYhBmO9P/3v4+glMVxd:VVdUTUQOzANwO9Hf4

Score
10/10
formbookc1noratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

c1no

Decoy

SKHcqi+am5xGsHiCoXnH

BObxRpdRlNT5GCo3Eg8azNIQ

GPkN2SZ9gJOYqn4iaNIH6d1MRlk=

ZrdQ6Q4zd05LBFWPDc8=

KYQZEtvg85sq1t9jd7kazNIQ

KWu2/CZdnIFgf0p8

YlJ9mWmf+XkCjxzXSw==

nPeaENkZPzjWSh5DJiBVhlrTSx9V

GfUN8rKft59DsH2CoXnH

5ThnVCgjBm96jxzXSw==

pfb0D48Mk38v

uK6V0h16ziJXZuQ3NR8asKzT2Q==

QaxeYCJXoHFvKesgBSozIyC6bkTR8rbF

QT12wt/a0nsdrbY/oSGKqcq2wQ==

vfuiENwZZrvruTm5lHDF

iNsQyVnb3NHbtXyCoXnH

9jjn4jP8RyrjBYwNPvtfPg==

Wz1uwtUpdbrpwZXZq5HpXV7TSx9V

e9+RDvTx9HSZej/7PvtfPg==

oAeNwswNS6QgtnOdmcc=

Targets

    • Target

      DOC20220913-56789098765560.exe

    • Size

      866KB

    • MD5

      76a90279d9751835bfe078be3d90f819

    • SHA1

      158ecb15776a0a00da5b10a816277a56adc3aa0a

    • SHA256

      46cebe7371374cfb5e81001a02ea876e69e8ce2605e6c6afa99de8ccb937abb9

    • SHA512

      08c1e08e37d06aa779cec47eb4a1f241d35fc5e59fcf03825bcc836a66f00afe40bbf337750edef72941f51c3bbfd127d73f12df876a7c949a4f7fb1725b6909

    • SSDEEP

      12288:i4xAkdUsXuJ5lZ7vgQOzCLYYhBmO9P/3v4+glMVxd:VVdUTUQOzANwO9Hf4

    Score
    10/10
    formbookc1noratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks