Overview

overview

10

Static

static

Attached ...OC.exe

windows7-x64

10

Attached ...OC.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    AEE6E7C7266A285B58C757631A62A74117D4958B0FAD89A2368FF4B1CA53BA4E

  • Size

    179KB

  • Sample

    221123-r2tlnsab87

  • MD5

    1f99d93b4dbd5b918f438839205dd209

  • SHA1

    5a3a92e07a8b9f2f64b4adba2b9dda77cfc89af4

  • SHA256

    aee6e7c7266a285b58c757631a62a74117d4958b0fad89a2368ff4b1ca53ba4e

  • SHA512

    c63111bfaab91af1ede3d9c223e7ff0d84e9ffa73eb69d4e5cf02c2991218784ea58fb2ed5f8768b23ba7c435ef03c4d620184f882fe183733c2239c6aaa9f15

  • SSDEEP

    3072:JqiOwAk53a6sJbU4X7yNnLIpssSydwU8VbzEbAobsfSliJ2b7H:Jv3u2pLassSX5VXE1bsDJ2b7H

Score
10/10
formbookpfgcdiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

pfgc

Decoy

hBGNx7LOg1/1V9He6Lr1odiL8A==

JUtMWPUI+jYE3h2D0VXJrkViyWlklw==

9Onb+iNxE//TbnVsww==

+zlULMoiC8l+8Tev2wK6Xpt3qkQ2

vv/ckxYzTsV3W3KwMKjDf1rK+A==

fiNtn8AUmEDcSGooP0OzpNX0

Vo+DIT5uE/PEbnVsww==

JzMzXJDojoBk5EcxFTKznOD+

hxRyvNTzW6eTCQ==

/CcTv23E93dcQXf9RUb+

n6ODTfEg31QE9F0=

V9k3j8Pew4FJqasspfOBQNk=

mq+vfSOVMzCmhwN1wUeUUME41Pw=

1frRhiXBVRSqDTLo46vXXNc=

WP9xcxRKdPLGtCeZ8VMcCsA=

dIBJ53JHoTO5

tlakzPSKiYl02hJYqJQdC8I=

EiPtnEnwhz/bMaJp+a0cj8g=

s7mOSbbN8GbPM3von61MR8E41Pw=

HFhN1/bX7Umz

Targets

    • Target

      Attached Invoice_72_1421 DOC.exe

    • Size

      245KB

    • MD5

      13940ca97783f75831c3f0a72c59ec53

    • SHA1

      d0bea9d294ab885228296157122414eb372f5a56

    • SHA256

      810b8a39783409f1b3f56e78d764a5abda68ff7bf08ae721ba798934568db7f3

    • SHA512

      e9169747a0c4f9c90bba3fabe3d71b4985410e221be37c6fe31c2bbec4a50299d3a4dd2eaffe087b65b6a70c857be127683e78fc685ce5868ddcb4428a4f78bf

    • SSDEEP

      3072:3LfVxlyEZfp9zIzjBlLetfKhoewsEvTnL+pssSWdwU8xbtEbAqPsfSliJx:btXZXPzd5vrL8ssST5xZEBPsDJ

    Score
    10/10
    formbookpfgcdiscoveryratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks