Overview

overview

10

Static

static

Confirmati...92.exe

windows7-x64

10

Confirmati...92.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Confirmation transfer Ref No_00101334632192.exe

  • Size

    954KB

  • Sample

    221203-2askeaaf92

  • MD5

    8ecc522f8617adaf469f173400806dcf

  • SHA1

    19aff3a1b435064dade4cc095f9d10a5b6ba9859

  • SHA256

    b0e5e12bea8386e6e06c82e4e25257b22649a608b2ef2a599332879983a000b0

  • SHA512

    8109fd4157101064a8d4f73f438aed7f39202ebff2ab539a11434c625661cdc2c88509e9ef3a5f616d3e8136e20dd3f386fd94009b9e7f9e1344a9167d65b542

  • SSDEEP

    24576:ukqTTiwAAgEEY4olXoFZ6toHqwjwv0E6:ITQpo9aUvt

Score
10/10
formbookq4k5ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

q4k5

Decoy

ZXN4RZ1db9JIzC7mhQ==

5+KpXZWys/DewpGQbChh6uPT5SNzFQ==

A8YuEKESXrzBhw==

uYH/9+Amwe1ZMkaR

KAusoWlA4I1Rt0P0jA==

AgIBy9IHiq8cdo4h47hB

PsX/0DrQRr+0hQ==

3z4v9UwXBjNTf48h47hB

bySPUkT+SFuT

VsQK5NkDks06l5z+TUG3eetd/twx2Mcjlg==

3+DcnQWuXG84sOphj5LEHIv/hA==

TOZXSDkjSHDoLk/pl2HYpOXJ

q7GGZ9KJrss/oTNwyxI=

2+O/k7y22Qo=

Joatk/qnSoO3q48h47hB

KT1UQcQ9yxWFQzCI

onRBEIHmYIl9XzhAIMtPLFAh5SNzFQ==

a8IY/+/oCDOj2TuM4Ohc

UlIOzyniF1sRnTNwyxI=

8UJiR6gijbvt+exXo7oCvdNV4BE=

Targets

    • Target

      Confirmation transfer Ref No_00101334632192.exe

    • Size

      954KB

    • MD5

      8ecc522f8617adaf469f173400806dcf

    • SHA1

      19aff3a1b435064dade4cc095f9d10a5b6ba9859

    • SHA256

      b0e5e12bea8386e6e06c82e4e25257b22649a608b2ef2a599332879983a000b0

    • SHA512

      8109fd4157101064a8d4f73f438aed7f39202ebff2ab539a11434c625661cdc2c88509e9ef3a5f616d3e8136e20dd3f386fd94009b9e7f9e1344a9167d65b542

    • SSDEEP

      24576:ukqTTiwAAgEEY4olXoFZ6toHqwjwv0E6:ITQpo9aUvt

    Score
    10/10
    formbookq4k5ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks