Overview

overview

10

Static

static

image004.exe

windows7-x64

10

image004.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    image004.exe

  • Size

    15KB

  • Sample

    221123-lkb3eabe94

  • MD5

    05a64724337efd906ee2b96271794fb0

  • SHA1

    b4e5d9f568e75f03ec6d6162e7cccc5fb51f1dfa

  • SHA256

    dfef95aace8bc4b84638abf73bdfb24e3108f8fef08ad6129546a2ffe9c13341

  • SHA512

    08977076cb53c9b7770e3860debcea22246a2e05b5d9b6e0a4783dd4528aa6af511ea086ec628ccefac899afe0e9f9694d8e265380e529bf7e1ca6e9192b6b87

  • SSDEEP

    192:bGbLYuZbHzxQMKek0LhkgSleWk8Lngcq2/4yTLzzcyrwzc5+45ZPw4d+U43P25:AkXv0LhQoWfgcq2wyDwySc5+c1h4+

Score
10/10
formbooks2h0persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

s2h0

Decoy

aPAdsgRiM5x/yL/X5cm0VzOos18VCw==

dSikZMo3DX9YnT+x5r59

MuZXDW3373RVmozB4qxFB4TP

etxRTtBOmdLv9Ji3bO4a6w==

cV0TtnwKShHy

sMCRJpM3pLEzQGF7OA==

8/z1y5az+w6oJEvAnYJg

yStNFwgJB8qEsJ63zrBFB4TP

cTzYzR2KJdPl

XmERsrbQFFc8I6TW3/oJz61Zs18VCw==

kRd/feIxF5FObwVf1+Y=

OKPBaPCEyH0oM6Hn7oMSUso=

CgmzVibsv66DWPAUrXU4U8I=

sS1SCHE+uG6FD0TAnYJg

+KVTMo4N6VwErccB

lMaVXfE6YN3aeg==

YdgFnvPAI1QPrdAn34YUY8Gohu68JYOv

KzcRJLlCQHwbpOQqYoCB+Bp7yA==

wbtcD0JabN3m

vNfSa+yFzotDbAVf1+Y=

Targets

    • Target

      image004.exe

    • Size

      15KB

    • MD5

      05a64724337efd906ee2b96271794fb0

    • SHA1

      b4e5d9f568e75f03ec6d6162e7cccc5fb51f1dfa

    • SHA256

      dfef95aace8bc4b84638abf73bdfb24e3108f8fef08ad6129546a2ffe9c13341

    • SHA512

      08977076cb53c9b7770e3860debcea22246a2e05b5d9b6e0a4783dd4528aa6af511ea086ec628ccefac899afe0e9f9694d8e265380e529bf7e1ca6e9192b6b87

    • SSDEEP

      192:bGbLYuZbHzxQMKek0LhkgSleWk8Lngcq2/4yTLzzcyrwzc5+45ZPw4d+U43P25:AkXv0LhQoWfgcq2wyDwySc5+c1h4+

    Score
    10/10
    formbooks2h0persistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks