Overview

overview

10

Static

static

PO_SFOWRN5.exe

windows7-x64

10

PO_SFOWRN5.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO_SFOWRN5.exe

  • Size

    552KB

  • Sample

    221204-bn5h1shf6v

  • MD5

    af3f0a8b0c0568f110f3b1fdcd70ad42

  • SHA1

    9a5e79a01df75bcb04705ababdd062c2074486e2

  • SHA256

    e7529a2d209e8f8405bfc92ae8f79486335989c0dcb472b678335db442fc6c04

  • SHA512

    c47b704650f791386355068524daf9a1208deb1ece9838175cbe9f41c18c34cf61df96c836ca1781db2e0c986749af7268229e8b29abdcea1c636a04a81f342c

  • SSDEEP

    12288:0oq78ingp/U7aZl/vJJfBbJMlpsG9+9jq:dq7roauJ3JMl9M9j

Score
10/10
formbookn2hmratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

n2hm

Decoy

XCeG4IxNKbAl

YzJWbnC+El84nA==

KAJcdmP8yEcO5LXPCFF42Wfb

I+J+xYO95GJQWVU=

GtgxPPv3FmQmhw==

Og9NYF4xEl+j7vGTR93xvg==

506Cg07bsT0G6yK+A96H0h35V+JLkwI=

wAYXFN+pSFIXgQ==

ijzLI/f+FmQmhw==

UfT2PweNm+w8

GQWVw5aZnfF/kS5e

30BKYjua9zcA7gAwsPUngLnjyrBNEgo=

AM65OrmyFmQmhw==

VSlTVxISZ4J/kS5e

GGKj6K33SRh6e0/YzT5nQGlK5CXRqw==

B9H98cUUfX+AWOqiTA==

MxVffWOIoVnM37zrd2sTaOY=

z6bxCgG/mGhR7oDzQA==

pQgSLSRi6AK3M/PdArpX

6rRRsYuSnXx/kS5e

Targets

    • Target

      PO_SFOWRN5.exe

    • Size

      552KB

    • MD5

      af3f0a8b0c0568f110f3b1fdcd70ad42

    • SHA1

      9a5e79a01df75bcb04705ababdd062c2074486e2

    • SHA256

      e7529a2d209e8f8405bfc92ae8f79486335989c0dcb472b678335db442fc6c04

    • SHA512

      c47b704650f791386355068524daf9a1208deb1ece9838175cbe9f41c18c34cf61df96c836ca1781db2e0c986749af7268229e8b29abdcea1c636a04a81f342c

    • SSDEEP

      12288:0oq78ingp/U7aZl/vJJfBbJMlpsG9+9jq:dq7roauJ3JMl9M9j

    Score
    10/10
    formbookn2hmratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks