Overview

overview

10

Static

static

1

d4540b3b44...8a.exe

windows7-x64

10

d4540b3b44...8a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8501782087.zip

  • Size

    230KB

  • Sample

    221206-xavybada38

  • MD5

    4965a9e9f1c2eac8e98bb1c20fd6de60

  • SHA1

    4aeca0f00230ff5c7c3706017c70ea0caf0ec8b4

  • SHA256

    f713783b78488d6997250029c2cc9c506b38c96a1198cd0fdc263fc1ed85d4ae

  • SHA512

    b389b698ae6d9ea00ee12e7269a137e65d61db12df04fb266316712771a1137baf7584f9cba5ad2fcfe5cdd06f157f2f05232f246fbedba1a050968505c50ea5

  • SSDEEP

    6144:OaJlQ5B94y1p4BMw5Q9EI7an3//4qFCuLS0RJ9hbTRDtRZgLT:bqb94G6BFkE+aX5FLbJfHg/

Score
10/10
formbookfkkuratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

fkku

Decoy

ItLUfbYmkw6ODl8lnvwkR/8=

oUKMUSjydqzVWxG/CqjK3ngAhQ==

HB9lfRtFwT/XlJ9Lxw==

hBYXuorq7a3WwPq1NSezCMStlQ==

ciRqfQbLgwx/+e2rLqTZ8oMLc2LYY4o=

9vb76Nc8JzKlj4YEQyPAx2dx86U=

fB9041xJgwl1

ND8juoNyH6x5XqlZ2Q==

QEaot04y8XLjFOBp1Cg=

SG6vmdmmpmFmDosczg==

WWCorUT756r1F+aD3cd7Cij6nSFQ

Yl63zVL2NnFph44XcKkiP/k=

s2RfFNOd3fuBEJNZ2ig=

u1p6Ucr2uCketwGD

0vD8lFkSfRCHEJdebbrb

qzlqgxrsrDRmDosczg==

H5aTYXc2rHXjzQ==

S/pFbexYx0S+Ex7SN5rC

9kOIkRTWkA136nA2Ua/R

ojOElJ50E1N40ZNanCbEZw==

Targets

    • Target

      d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a

    • Size

      246KB

    • MD5

      18f4957244bc049d56a80817e78da201

    • SHA1

      a8dd8602f604e5b33b4e21c157cd23a084218d62

    • SHA256

      d4540b3b4445dca1814c5489568883e4f7e7ae889d39f60b62e803d05ed5418a

    • SHA512

      75ae534cca9e219288ff02b391b2995f9c49f82b406c86b3554a78cecaabed4c84b473137241ed08aea3894f25d6fc5d2a95a1d0766ba908ac42657adf5e5336

    • SSDEEP

      6144:KEa0i0pnITU4I9GqwmJYb3IaNDTRovITs0ZVc+oD8oA+:aynmqwmeIQTR3Ts8VcHA+

    Score
    10/10
    formbookfkkuratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks