Overview

overview

10

Static

static

PO NO. 6CO...34.exe

windows7-x64

10

PO NO. 6CO...34.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO NO. 6COS2214634.exe

  • Size

    1.1MB

  • Sample

    221124-h4yhzabc5v

  • MD5

    5a3f411d3149c56950e8c9d54f29330e

  • SHA1

    587ebc690239bb64b910469515f1ce3639b3f9e7

  • SHA256

    4ac30ca3142675b81e4490da111a69336cc0b41b21049d3a8bb6b38e7851b529

  • SHA512

    2e4148c888910dee29617ab4bfa3fa4a52accf14a32f7f72f16ab085f536ec31859b27e59a7bf29b60f0c17bed25f5cf5ba4bf1d53f6acee17cd8699dad22e2e

  • SSDEEP

    24576:ezeKBgh/aweUeij4GDXXxfOaHc0l9ST5mkSBmHfI43BCs2Dz:ezeKSh/desZDXXlOaHBlYd0B74RCH

Score
10/10
formbookm5oeratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

m5oe

Decoy

HdR8hG6r12hBYuHY4zv6YeeFPQ==

tD1V9gswYvgQXEGd

1xKtJ1LdqRYMRMC84U1A

MbhjiWb7Lz8z7KIWl3UyUIJwA6Tb

joVB5Xggy2RtE+odsZg=

TrduAIay6Y3SvoIK20xI

pSna7LOsXXwXT/zz3Iow4g==

QnthmO4Qst5gC3sDoA==

eAirzOOgO7SOCenz3Iow4g==

xg0uSbfLTg==

YWQXwyGRzPEHzGrDFE8CBSE=

ujLnfuXoH9dbgHIK20xI

291v0XsGFrYQXEGd

MRvTd/qMuaHpjCM=

X131fLC6VWX4MsvCb2IPjIfq8wlksWfg

Y9Bur8DbgqFt/Yni86MMCCE=

q6RTBmJkmy5pWTmmCCrvmuCDPw==

mQS26DojT+EQXEGd

sjHQ+Kav2Wx9FeodsZg=

JA24UKnTA5re1LhcQaVo/w==

Targets

    • Target

      PO NO. 6COS2214634.exe

    • Size

      1.1MB

    • MD5

      5a3f411d3149c56950e8c9d54f29330e

    • SHA1

      587ebc690239bb64b910469515f1ce3639b3f9e7

    • SHA256

      4ac30ca3142675b81e4490da111a69336cc0b41b21049d3a8bb6b38e7851b529

    • SHA512

      2e4148c888910dee29617ab4bfa3fa4a52accf14a32f7f72f16ab085f536ec31859b27e59a7bf29b60f0c17bed25f5cf5ba4bf1d53f6acee17cd8699dad22e2e

    • SSDEEP

      24576:ezeKBgh/aweUeij4GDXXxfOaHc0l9ST5mkSBmHfI43BCs2Dz:ezeKSh/desZDXXlOaHBlYd0B74RCH

    Score
    10/10
    formbookm5oeratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks