Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    tmp

  • Size

    226KB

  • Sample

    221105-ep85dafehr

  • MD5

    f30dc6dd8fe2e44bf9b8c45115e6f83c

  • SHA1

    cf0033fda00be69b914807455b696b37c24ad9cf

  • SHA256

    1d05865cde860a1f608fd49bb66177de78e910bb2dc231b57908a388dea5c0c2

  • SHA512

    7116d1742238ee2299f135a9f5d35ed0ff857710eb7c8ca2d99c32cab68ed9b39c906219c3933fc2bdd776319ca13ceebb345b25816898ac347a6eff6c818d72

  • SSDEEP

    3072:qUJoFfWzzl+cSMgi/+Ddy9YOmX3ucUiO0avrbjIO127nn9ubNZnf1wAUYqqRKgsM:qweEp5l9rkuWzcEfn9ySIi+3MuOZW

Score
10/10
formbookf4caratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Targets

    • Target

      tmp

    • Size

      226KB

    • MD5

      f30dc6dd8fe2e44bf9b8c45115e6f83c

    • SHA1

      cf0033fda00be69b914807455b696b37c24ad9cf

    • SHA256

      1d05865cde860a1f608fd49bb66177de78e910bb2dc231b57908a388dea5c0c2

    • SHA512

      7116d1742238ee2299f135a9f5d35ed0ff857710eb7c8ca2d99c32cab68ed9b39c906219c3933fc2bdd776319ca13ceebb345b25816898ac347a6eff6c818d72

    • SSDEEP

      3072:qUJoFfWzzl+cSMgi/+Ddy9YOmX3ucUiO0avrbjIO127nn9ubNZnf1wAUYqqRKgsM:qweEp5l9rkuWzcEfn9ySIi+3MuOZW

    Score
    10/10
    formbookf4caratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks