Overview

overview

10

Static

static

LPO 11-17.exe

windows7-x64

10

LPO 11-17.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    LPO 11-17.exe

  • Size

    794KB

  • Sample

    221118-hw267agh25

  • MD5

    cdfbda9ffbe8063dbd24476cc2b5f189

  • SHA1

    c0b243c6f8bde7f51f794fc1b1eb12c327914969

  • SHA256

    d63889a88b1546c0e457c123d946f27ffcc64105931b47f805f196eada498880

  • SHA512

    84f7069e7aa2fcac47ba9589f6c5f25aab7712d2c8c27fd066868ce97319f0a99c71221a4144f0698b43c4e1d451ece65599f93ff57c24d2fb4dafabe637a072

  • SSDEEP

    24576:WnH6jZnbCkIMnG3ch9YoxWHTcfm7DvCk:aajZnbCkIMnrr/QHzvt

Score
10/10
formbook06ehratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

06eh

Decoy

LFsv6dX2ii6R8OphWwptZ9Uy+geJcQ==

F2g1Ra3riiwsEeceZ+kPoyzVyQ==

m7+bOE66nh10jg==

Dyb/VMcRh6yNuvVNwJjlrzs=

3yNAvKD3bmuj1Q4=

K7hi/htWsKfW6xc=

sqpSY7/gcvvY0tm0tWucCg==

LnSqfZJAUour0Qo=

Il4dO5W4JE9OlQYNbHc=

LUYTY9QKZHZPe74hTaa/ljM=

Qg6iySJSuuTgNcboVm4=

SJkvGoebIdDEsJn9AI7yPbNK

DKBLqQM7m6oaUKM84/sIFQ==

GOOzpszYDX9lkuZQ5pmdrDDeyg==

V5064wgZl0G1DxNTv5jlrzs=

Onlr5MMHSXuH/91V

oddlSLzpBTyiCAtcvmSS

ITsUV4Gw/mkWaGLjCHs=

HqWBQYO4SQBinnio6GmL

tDrGMY3MC5e1KdgFRw==

Targets

    • Target

      LPO 11-17.exe

    • Size

      794KB

    • MD5

      cdfbda9ffbe8063dbd24476cc2b5f189

    • SHA1

      c0b243c6f8bde7f51f794fc1b1eb12c327914969

    • SHA256

      d63889a88b1546c0e457c123d946f27ffcc64105931b47f805f196eada498880

    • SHA512

      84f7069e7aa2fcac47ba9589f6c5f25aab7712d2c8c27fd066868ce97319f0a99c71221a4144f0698b43c4e1d451ece65599f93ff57c24d2fb4dafabe637a072

    • SSDEEP

      24576:WnH6jZnbCkIMnG3ch9YoxWHTcfm7DvCk:aajZnbCkIMnrr/QHzvt

    Score
    10/10
    formbook06ehratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks