Overview

overview

10

Static

static

RFQ-PR. No....2.exe

windows7-x64

10

RFQ-PR. No....2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ-PR. No.1599-Rev.2.exe

  • Size

    304KB

  • Sample

    221014-masg3saggp

  • MD5

    ee8704b53daeab3de3fe710d1e4ab2a3

  • SHA1

    e73ea03c0eb02df53174fe29f5ec7b256f8cdbc1

  • SHA256

    80b8b1f20535fa3c733679f5f6afcd2d8e3757ec424e332e01cb0037b70df154

  • SHA512

    5cc88cec051e0cac48291f27663f47c59ae5d1f75a132f19ddeb130074b71739b5446de73f08a8d75847a3b0b6a053249ce482c797caafc4bbe2411c5900a164

  • SSDEEP

    6144:QbE/HUBRBcwLt8USzTpll3TbXZXFVz93kZGsDmsxPW7yZLx:QblRSAt8UGpl5bx93qGncPW7yZLx

Score
10/10
formbookfkkuratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

fkku

Decoy

ItLUfbYmkw6ODl8lnvwkR/8=

oUKMUSjydqzVWxG/CqjK3ngAhQ==

HB9lfRtFwT/XlJ9Lxw==

hBYXuorq7a3WwPq1NSezCMStlQ==

ciRqfQbLgwx/+e2rLqTZ8oMLc2LYY4o=

9vb76Nc8JzKlj4YEQyPAx2dx86U=

fB9041xJgwl1

ND8juoNyH6x5XqlZ2Q==

QEaot04y8XLjFOBp1Cg=

SG6vmdmmpmFmDosczg==

WWCorUT756r1F+aD3cd7Cij6nSFQ

Yl63zVL2NnFph44XcKkiP/k=

s2RfFNOd3fuBEJNZ2ig=

u1p6Ucr2uCketwGD

0vD8lFkSfRCHEJdebbrb

qzlqgxrsrDRmDosczg==

H5aTYXc2rHXjzQ==

S/pFbexYx0S+Ex7SN5rC

9kOIkRTWkA136nA2Ua/R

ojOElJ50E1N40ZNanCbEZw==

Targets

    • Target

      RFQ-PR. No.1599-Rev.2.exe

    • Size

      304KB

    • MD5

      ee8704b53daeab3de3fe710d1e4ab2a3

    • SHA1

      e73ea03c0eb02df53174fe29f5ec7b256f8cdbc1

    • SHA256

      80b8b1f20535fa3c733679f5f6afcd2d8e3757ec424e332e01cb0037b70df154

    • SHA512

      5cc88cec051e0cac48291f27663f47c59ae5d1f75a132f19ddeb130074b71739b5446de73f08a8d75847a3b0b6a053249ce482c797caafc4bbe2411c5900a164

    • SSDEEP

      6144:QbE/HUBRBcwLt8USzTpll3TbXZXFVz93kZGsDmsxPW7yZLx:QblRSAt8UGpl5bx93qGncPW7yZLx

    Score
    10/10
    formbookfkkuratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks