Overview

overview

10

Static

static

PO-22010830.exe

windows7-x64

10

PO-22010830.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PO-22010830.exe

  • Size

    747KB

  • Sample

    221206-pglzzsbd5v

  • MD5

    876cdf36f3096235e8a7d2d226939dfd

  • SHA1

    bf2ac1b26edb83492c37e6fe43d779a1f3ca2555

  • SHA256

    933b7f5c98ba6f0c28c54a11d35c8ac0a36d825699df11a896767556ebce1603

  • SHA512

    c9cc4e3ef82cdac35bc7d9ff2e9339692453d437949c33d88700c12d979038886b872992e1fd0641ecc99ebe388586b764a440f29973e0c85ac27cdddb494526

  • SSDEEP

    12288:WyVeA2iN9b3vT2hbrG/fpI0n5ryqQBgVA5AAasVejNwSyGi8AoMM:DMA1HLT2hbK/ymWZSVAyAV8jov8nMM

Score
10/10
formbookm5oeratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

m5oe

Decoy

HdR8hG6r12hBYuHY4zv6YeeFPQ==

tD1V9gswYvgQXEGd

1xKtJ1LdqRYMRMC84U1A

MbhjiWb7Lz8z7KIWl3UyUIJwA6Tb

joVB5Xggy2RtE+odsZg=

TrduAIay6Y3SvoIK20xI

pSna7LOsXXwXT/zz3Iow4g==

QnthmO4Qst5gC3sDoA==

eAirzOOgO7SOCenz3Iow4g==

xg0uSbfLTg==

YWQXwyGRzPEHzGrDFE8CBSE=

ujLnfuXoH9dbgHIK20xI

291v0XsGFrYQXEGd

MRvTd/qMuaHpjCM=

X131fLC6VWX4MsvCb2IPjIfq8wlksWfg

Y9Bur8DbgqFt/Yni86MMCCE=

q6RTBmJkmy5pWTmmCCrvmuCDPw==

mQS26DojT+EQXEGd

sjHQ+Kav2Wx9FeodsZg=

JA24UKnTA5re1LhcQaVo/w==

Targets

    • Target

      PO-22010830.exe

    • Size

      747KB

    • MD5

      876cdf36f3096235e8a7d2d226939dfd

    • SHA1

      bf2ac1b26edb83492c37e6fe43d779a1f3ca2555

    • SHA256

      933b7f5c98ba6f0c28c54a11d35c8ac0a36d825699df11a896767556ebce1603

    • SHA512

      c9cc4e3ef82cdac35bc7d9ff2e9339692453d437949c33d88700c12d979038886b872992e1fd0641ecc99ebe388586b764a440f29973e0c85ac27cdddb494526

    • SSDEEP

      12288:WyVeA2iN9b3vT2hbrG/fpI0n5ryqQBgVA5AAasVejNwSyGi8AoMM:DMA1HLT2hbK/ymWZSVAyAV8jov8nMM

    Score
    10/10
    formbookm5oeratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks