Overview

overview

10

Static

static

1

PO 0094899101.exe

windows7-x64

8

PO 0094899101.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO 0094899101.exe

  • Size

    762KB

  • Sample

    221206-hysqjahc21

  • MD5

    4c274f3bc91970597ea119c632c45860

  • SHA1

    43fda1bfe6971a37106d9827433b07dae500fe30

  • SHA256

    3c1db94995f50f8d469f8d44278a9fe97864afca4be64ce6aceabdcbe9d91de8

  • SHA512

    bf9eec01cc9fe9e5b4ce24f10cfdf059bcc2d0a11ea8d3ea82aa8dbde5d1c4aa715a171dcec6786461d1f4dc6af9f396ad6dd6add188a111a5f972dd4dd8815e

  • SSDEEP

    12288:YbIg+dWn45FiQxDCDTkEwYlaPU5vot96i0KeDC2/2ak6NqpIESRaJ2:YbZQtaQKlsU6tYiEC2FkMUSRaJ2

Score
10/10
formbookelhbratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

elhb

Decoy

BxGzoacPQ3mFBGhbtixjHOm2l30=

dTRqRkWfuBbGMmsPJA==

Pix+zpOG6+Gk

N+3dNZ0ZjOtrRnnj

xUv06VOm45P441HWCmmfSum2l30=

Sx5JuwMfaRrJdK3r

cgU6nPNKa14KC4K40cp4wbkm/KpzfwM=

rV8A2UGJrlbYxa48P40=

Gz3szbYLIYI6l+4=

QU3ru637P+U4itwRQ3n7n2c=

DdkGzbEPU4Fy4h2bZLVXNzz0

QPUo8R5qn9KUnhRRtmVY8/Zp5Xw=

q+EX7juJsVR79msRSnsUxg==

/34eEpvsLS8lw7uom5U=

HEVrEXHlHMlNNp9IlsY+0Q==

KZ/SIWnI7eeog+pwY9uAw+PmmhfjXQ==

Kdn7YMcoXYWjHId+0jhkHem2l30=

R7lnYeAfO1MUHIWyz9c/aoIvHxSvQA==

P7ZYVqmG6+Gk

hlk7m1hdnb0=

Targets

    • Target

      PO 0094899101.exe

    • Size

      762KB

    • MD5

      4c274f3bc91970597ea119c632c45860

    • SHA1

      43fda1bfe6971a37106d9827433b07dae500fe30

    • SHA256

      3c1db94995f50f8d469f8d44278a9fe97864afca4be64ce6aceabdcbe9d91de8

    • SHA512

      bf9eec01cc9fe9e5b4ce24f10cfdf059bcc2d0a11ea8d3ea82aa8dbde5d1c4aa715a171dcec6786461d1f4dc6af9f396ad6dd6add188a111a5f972dd4dd8815e

    • SSDEEP

      12288:YbIg+dWn45FiQxDCDTkEwYlaPU5vot96i0KeDC2/2ak6NqpIESRaJ2:YbZQtaQKlsU6tYiEC2FkMUSRaJ2

    Score
    10/10
    formbookelhbratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks