Overview

overview

10

Static

static

PAYMENT FO...98.exe

windows7-x64

10

PAYMENT FO...98.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PAYMENT FOR PT1098.exe

  • Size

    807KB

  • Sample

    221122-kw59ysbd7z

  • MD5

    e78a007b4a9befa903f31bc219bcbd75

  • SHA1

    c8f9c31c70aa6a20dc7e20a909e23c2672af9014

  • SHA256

    5bb96d0e0036475868552414f3645cd7bd779629f1c9ffdbb5da32af26fd641f

  • SHA512

    65fd00bf0bfc4a13bef52a98beff89c68859d0fe21477476932ef9a2841f2ba5a3acf69f1ef5766eee2277a8b8cacf36f745c0555c11358bd2c680b68e47259b

  • SSDEEP

    24576:Wr18+L74mBfNUstzo38/JY7xki2xTq1r3r8JN:WrO8/JYlDI

Score
10/10
formbook06ehratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

06eh

Decoy

LFsv6dX2ii6R8OphWwptZ9Uy+geJcQ==

F2g1Ra3riiwsEeceZ+kPoyzVyQ==

m7+bOE66nh10jg==

Dyb/VMcRh6yNuvVNwJjlrzs=

3yNAvKD3bmuj1Q4=

K7hi/htWsKfW6xc=

sqpSY7/gcvvY0tm0tWucCg==

LnSqfZJAUour0Qo=

Il4dO5W4JE9OlQYNbHc=

LUYTY9QKZHZPe74hTaa/ljM=

Qg6iySJSuuTgNcboVm4=

SJkvGoebIdDEsJn9AI7yPbNK

DKBLqQM7m6oaUKM84/sIFQ==

GOOzpszYDX9lkuZQ5pmdrDDeyg==

V5064wgZl0G1DxNTv5jlrzs=

Onlr5MMHSXuH/91V

oddlSLzpBTyiCAtcvmSS

ITsUV4Gw/mkWaGLjCHs=

HqWBQYO4SQBinnio6GmL

tDrGMY3MC5e1KdgFRw==

Targets

    • Target

      PAYMENT FOR PT1098.exe

    • Size

      807KB

    • MD5

      e78a007b4a9befa903f31bc219bcbd75

    • SHA1

      c8f9c31c70aa6a20dc7e20a909e23c2672af9014

    • SHA256

      5bb96d0e0036475868552414f3645cd7bd779629f1c9ffdbb5da32af26fd641f

    • SHA512

      65fd00bf0bfc4a13bef52a98beff89c68859d0fe21477476932ef9a2841f2ba5a3acf69f1ef5766eee2277a8b8cacf36f745c0555c11358bd2c680b68e47259b

    • SSDEEP

      24576:Wr18+L74mBfNUstzo38/JY7xki2xTq1r3r8JN:WrO8/JYlDI

    Score
    10/10
    formbook06ehratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks