Overview

overview

10

Static

static

Scan_Pictures.exe

windows7-x64

10

Scan_Pictures.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e30b884ac78c7ac7ac35da00c367fb2b

  • Size

    899KB

  • Sample

    221004-x15v7scab6

  • MD5

    e30b884ac78c7ac7ac35da00c367fb2b

  • SHA1

    742be2957bcd94a6061c3077f0339027f4849478

  • SHA256

    8952f3614c3e5762a461e1b1b133d8e9c201a1863e61fade4f0aba5354ef5dc9

  • SHA512

    4197425f9a4b48aabcd25d00d419cadac1c9eb9770144c65ff6fb31fd0c88a214e781f83574c4c18402a41decf9889383d863078d1354474b3e52f592a9ebb8a

  • SSDEEP

    12288:ksafC4AySMa9QlE43drbz+MIFXWx1bWLPVqrZXJT2BU59vJ:8iySPEbdHzD2bViZXJTHR

Score
10/10
formbookhzb3ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

hzb3

Decoy

BVGWUXYpaaEaNSjsCHhJnDJz463cqQ==

CEqdZb0KaOLLbWqrDVTgc20=

nBv0jSFiQHxtE6awQnm2

E1sGpCJYtB8ImaguUyF6yQ==

PMBND7LzJGZH7CXulclbs2c=

u9zzlFGDXo6LLbGwQnm2

SaJjLbtVlMgsP5ZQRj4=

wckwEbwBbKA2X3g=

rPxB8ePUxfu4pilu

S562QFeKY5P//qawQnm2

BkEfWXZuY3ihKW8=

ZanakqMxkP7VdNfWdD4FGDqF

PYYbtzdINC1J0OYzQCk=

Fmg9LBxaPQ==

4eXWfoC06yGAkQ0l+Txs2w==

n68j2X6+CIhsD5GiCMYBsHI=

hRv6hpW3qfLbdI1XJ/J825G1TslJ+1JE

X6PAVGfwPHihKW8=

7zn1tkuDaZ2FKbGwQnm2

lB0m5ghWsSmMpIUS8EBM31l/463cqQ==

Targets

    • Target

      Scan_Pictures.exe

    • Size

      592KB

    • MD5

      f8581e56190bf92b20e26c241676fb7e

    • SHA1

      21efc7fc501affed54cf4eeb9842a283a16fa4a1

    • SHA256

      8bdd8e2b3d91d21ea2cad77027b0a8b88f9d7d1ec2733b86c1c664bcd847b81d

    • SHA512

      4a1c96a7480a538bda2fb129e25d1382d0d0042cdeb44c4491b1a7b5ec63614acb5ef776d0fbe844d22620b1f801154a19ae714414cf6bcdb3b2ce1d1cad6784

    • SSDEEP

      12288:nToPWBv/cpGrU3yp9uQmvCduEnTImJ6Uav+:nTbBv5rUOtmvCd7Xav+

    Score
    10/10
    formbookhzb3ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks