Overview

overview

10

Static

static

invoice_tr...00.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    invoice_tracking DHL47590000000000000000000000000000000000000000000000000.exe

  • Size

    510KB

  • Sample

    220929-sfj1sacbgn

  • MD5

    1171d17c95d225d6f0d37267f6c36e07

  • SHA1

    8e5b4ab68278877993beebf2670238d815ed4538

  • SHA256

    1044f891d6eb65b8355914f7afe50cee1305060be10d899627b5a310dda6f926

  • SHA512

    03848cdac3b3e5d60a44f17bf3492095a4791e802433a615367eb96e1e9adc5b1a1d736152cd70536dc7ebedafaeaccf42328bb51b2699752692e79cc778dade

  • SSDEEP

    6144:uTouKrWBEu3/Z2lpGDHU3ykJFWi/2o/iCnphoSZgKqZAqM9zEd/RWtu:uToPWBv/cpGrU3ywWmkmpGSZNqZ9M9YJ

Score
10/10
formbookf4caratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

QYZ6iE9Y+CsiZpCBareS0uU=

N2FQLAaH6xXE

Vc6t0MQXN+Llxsqg

ElBedmSvYGGm6yLDhHqzAtmlCxWl

4VpIWShqHR5cpjfQ4bs=

mepO9miu/iFiQQ==

Z8Owqh54IlwEpDfQ4bs=

qcq4uT5HecWZG3EVwKTiUE7slrGQGiyo

IaYYoJikKDDqgV/NigZCLA==

4Xz5pfoCCW/76NnOUrFEOw==

xiijSkVJ3Yuh9OKDcmui/d2lCxWl

cr8MmfpCEu0ULsO3p6w=

JLm2yKHo7hdVb8O3p6w=

Hriy5svWm2Qfq9mPQib9jJI65gOr

2G3nkRpidunlxsqg

gPHUAeXmi8Q9ARy3

6l5WaOf8BxhQDkp5gKQ=

KHHiXs4WOqXZdPhpaw==

+UQ5Vz5O0Ms9ARy3

pNQygKu0OziAvjOHRGLnJA==

Targets

    • Target

      invoice_tracking DHL47590000000000000000000000000000000000000000000000000.exe

    • Size

      510KB

    • MD5

      1171d17c95d225d6f0d37267f6c36e07

    • SHA1

      8e5b4ab68278877993beebf2670238d815ed4538

    • SHA256

      1044f891d6eb65b8355914f7afe50cee1305060be10d899627b5a310dda6f926

    • SHA512

      03848cdac3b3e5d60a44f17bf3492095a4791e802433a615367eb96e1e9adc5b1a1d736152cd70536dc7ebedafaeaccf42328bb51b2699752692e79cc778dade

    • SSDEEP

      6144:uTouKrWBEu3/Z2lpGDHU3ykJFWi/2o/iCnphoSZgKqZAqM9zEd/RWtu:uToPWBv/cpGrU3ywWmkmpGSZNqZ9M9YJ

    Score
    10/10
    formbookf4caratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks