Overview

overview

10

Static

static

fifth.exe

windows7-x64

10

fifth.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    fifth.exe

  • Size

    736KB

  • Sample

    221207-gcytzshh83

  • MD5

    f4937a3e14c770221de47df00885285b

  • SHA1

    dc22ac92d802f7339691082330dc36a236e86644

  • SHA256

    1235cd108420d0531298421c807f494e09133bdab337a0d13c6e1bb7ebf239c4

  • SHA512

    f06d1eaf53b7027a768f24d15f8b9cf099145f77765c8ef6a8577f37633ccb147f6d3038a46bce5c21de65b6bd78ab14636d6d233497210af07b2923a0b0c4c7

  • SSDEEP

    12288:JwlQbmomPZefXPtqvyuQwYvCYDAD9AxDZCCjM+9MQJQv8vgUycEn/z:iomxiXQFwv1M9KDZCIMpQDgUDyz

Score
10/10
formbook06ehratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

06eh

Decoy

LFsv6dX2ii6R8OphWwptZ9Uy+geJcQ==

F2g1Ra3riiwsEeceZ+kPoyzVyQ==

m7+bOE66nh10jg==

Dyb/VMcRh6yNuvVNwJjlrzs=

3yNAvKD3bmuj1Q4=

K7hi/htWsKfW6xc=

sqpSY7/gcvvY0tm0tWucCg==

LnSqfZJAUour0Qo=

Il4dO5W4JE9OlQYNbHc=

LUYTY9QKZHZPe74hTaa/ljM=

Qg6iySJSuuTgNcboVm4=

SJkvGoebIdDEsJn9AI7yPbNK

DKBLqQM7m6oaUKM84/sIFQ==

GOOzpszYDX9lkuZQ5pmdrDDeyg==

V5064wgZl0G1DxNTv5jlrzs=

Onlr5MMHSXuH/91V

oddlSLzpBTyiCAtcvmSS

ITsUV4Gw/mkWaGLjCHs=

HqWBQYO4SQBinnio6GmL

tDrGMY3MC5e1KdgFRw==

Targets

    • Target

      fifth.exe

    • Size

      736KB

    • MD5

      f4937a3e14c770221de47df00885285b

    • SHA1

      dc22ac92d802f7339691082330dc36a236e86644

    • SHA256

      1235cd108420d0531298421c807f494e09133bdab337a0d13c6e1bb7ebf239c4

    • SHA512

      f06d1eaf53b7027a768f24d15f8b9cf099145f77765c8ef6a8577f37633ccb147f6d3038a46bce5c21de65b6bd78ab14636d6d233497210af07b2923a0b0c4c7

    • SSDEEP

      12288:JwlQbmomPZefXPtqvyuQwYvCYDAD9AxDZCCjM+9MQJQv8vgUycEn/z:iomxiXQFwv1M9KDZCIMpQDgUDyz

    Score
    10/10
    formbook06ehratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks