Overview

overview

10

Static

static

1

P_O__DAR.exe

windows7-x64

8

P_O__DAR.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    wza1ty.img

  • Size

    1.2MB

  • Sample

    221129-qz9z7sea32

  • MD5

    8b9d1be120d4abf975bcaeccbd19c3ed

  • SHA1

    640dd88ff021d0e67136690a6623e5376b4fb7df

  • SHA256

    1c239056f12181094f66a4e7dd8a5ece180a9d9ad9793cf0dc1991dd0e53d585

  • SHA512

    584ed111a32ad219cbd3314cc04a78cd99ff2f462d84424e1670b80813f063c6d2a95a14677275f2130b14407b3169f8a4c99475c3297249d6c0220b930ea61b

  • SSDEEP

    12288:OAOoU7mzbaCWo4lZ7v4V+rsUbXKENRT9AV5yKk4dKQ2:OAG7mzbCo4lZ7vLpXJzBA/yKkGp2

Score
10/10
formbookbzp6ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

bzp6

Decoy

cv3Tymnr/xzunez//TFYQoKp0Pfj

tUmgQu3m4ffj

nEv7UlMpk8u5csW5dJS/po1Hsh7r

vm+dyfje8fW5f49kA/Fau+xLYJlPVv0=

/7jzSKaswdGspw82DA==

WEBCaDa1z928jBdUWtn/O5+I

vrunlBev7DDHnf4R

8+BnVrB7/Uzl4A0JnaYLcw==

02sgf5VrD1ccjnNIztUUtas=

PwdKrCuRJGdBG6hwGw==

lGNYjlH5mc67hGn7T/xYNq6kVdJqMku5

OPhdW1IysvnSXL365hJEGqIlMHs=

hGfpAURoq6xxRCy0D5eFga4=

q4pklmD4j9uuXz7ENyuWHxkWSZlPVv0=

A7UeJSAFi92oeJfmPwA=

YUfI3A//bLibaIPtoRB2

vpFlpIlanKM6Vuge

NsghLA2JylkvtA==

Fh3CD1JtmB/+wJU=

58aByPTnXaeKGuUsavhr

Targets

    • Target

      P_O__DAR.EXE

    • Size

      638KB

    • MD5

      54461c7e27a4a8300849a2bf355e2f80

    • SHA1

      062533436b05fa712687cf294db2d5b1ec3b7265

    • SHA256

      6ec121caff8aebd600516a024a4d6f289e32dd8ab3581e2e641cf5309f4905d6

    • SHA512

      cccad6007233a70642ec92622a091e489fc227df342f54137e7085b178978f4bd9b48b62664d025d0858c744145cabdb617df1f8761dda4bd416d9627ac7e8f4

    • SSDEEP

      12288:EAOoU7mzbaCWo4lZ7v4V+rsUbXKENRT9AV5yKk4dKQ24:EAG7mzbCo4lZ7vLpXJzBA/yKkGp24

    Score
    10/10
    formbookbzp6ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks