Overview

overview

10

Static

static

wininfo32/lib64.exe

windows7-x64

10

wininfo32/lib64.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    binL-main.zip

  • Size

    188KB

  • Sample

    221207-hd4bjafg91

  • MD5

    3876dfc155111b62894cac36cf8de039

  • SHA1

    a3b6a7d90e475fc5ed8e093c3527e4deb4db9e72

  • SHA256

    ae74329d05f75049f9fc301d1ea99c34b4320edd9e3af685c84d47dd69406d08

  • SHA512

    6c03ba36d8258d890d46edbbebade92f0a8c54b2f8801a402a635fba18972a4097dae79e312bc2354d09b3166d6441aa6531bdb40c22b9b6fbe521d520b2a8d4

  • SSDEEP

    3072:PdroMwND0GQ4zGI/5RT1ygz652b4HDrX/3NYeeDNHkcP7biIkUOuTDcTlgbYm6C9:F00GaI/PTDCa4PX/NY+pIROeDch0okYM

Score
10/10
formbooks3f0ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

s3f0

Decoy

zm/xqaOkp7SIM6I9k8cYYQ==

R3BJUiYhIJsD50TcNbbEexs=

r92WbDh7DjlsCftKuG56

UmoUBecGa6YL6A==

UQLQ4AmN+i0R

ATNkzEHBHyMM

BSHJi2n11k/Oq+6Mug==

+Z7elo1OY5UH6Q==

dZEf25y+5WLNqDGY9DI=

Zu6ipAkOo1QGo6fHrw==

iquKhUajLOlfLDduk8cYYQ==

6HcbD4jxPzcS

kCkEGSRmmQVzS1l7k8cYYQ==

kpV9fdfeZ3ZO/ozTsg==

Vea2yr7h+HTYxwHH9C8=

j7h4fHeMuGfayAHH9C8=

tcQ2/YKFQAFqYKxQfu09Rjl6FA==

RVYC2MYEERU2x8sXLiY=

dv+nDEaN+i0R

CbNkLJj8EFE0Hmn/LSeqpVhnTmJs

Targets

    • Target

      wininfo32/lib64.exe

    • Size

      202KB

    • MD5

      676380743dd23f61e18c1e044105168a

    • SHA1

      387fbee19170c2ddc8c4faa2b38131fe9b3259de

    • SHA256

      d8b2ccbb31253f78340e5a95ac72cb871e52338526817cc5db09107becaf7b36

    • SHA512

      685d3bf901993ddec9a786132f1f9e9b48c6d8697fdce67f26813b0e1d1b1b2419d37db35c43829578255b51d80877a243b395d2a4423eef4174b5168dfc8b14

    • SSDEEP

      6144:qxAVDI/PTDCC4vX7NYEpItOeDwh0UkezRpt:qxAVD6Pn0v+EaOeDo0yzRT

    Score
    10/10
    formbooks3f0ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks