Overview

overview

10

Static

static

1

RFQ No. 98...85.exe

windows7-x64

10

RFQ No. 98...85.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    RFQ No. 980007 & 983185.exe

  • Size

    239KB

  • Sample

    221208-2askeaef7t

  • MD5

    a9ee4f66b0686b6696d2853667da9c18

  • SHA1

    6c4ec8743ac76cd05fc33ba3d05e82c47d87ecce

  • SHA256

    05740669c4c15fd382ace1ce3a03d78ad0bbd9b1dafa5d22d13fea990e07e65b

  • SHA512

    d222a4cc4ea8b89b6aa66eee2f2ee0510cae392e15b04945e75baf3db7302ff9e9b8d063dce021096b539e26c26ea3478ecb4d17f3d763ff1f60a98e9c6a20c9

  • SSDEEP

    6144:xBnYpMnlMPjMn6m3AWilyG6M2abL9cBjr8Jiw:UpglZ6m373G6M2alc9AJX

Score
10/10
formbookm5oeratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

m5oe

Decoy

HdR8hG6r12hBYuHY4zv6YeeFPQ==

tD1V9gswYvgQXEGd

1xKtJ1LdqRYMRMC84U1A

MbhjiWb7Lz8z7KIWl3UyUIJwA6Tb

joVB5Xggy2RtE+odsZg=

TrduAIay6Y3SvoIK20xI

pSna7LOsXXwXT/zz3Iow4g==

QnthmO4Qst5gC3sDoA==

eAirzOOgO7SOCenz3Iow4g==

xg0uSbfLTg==

YWQXwyGRzPEHzGrDFE8CBSE=

ujLnfuXoH9dbgHIK20xI

291v0XsGFrYQXEGd

MRvTd/qMuaHpjCM=

X131fLC6VWX4MsvCb2IPjIfq8wlksWfg

Y9Bur8DbgqFt/Yni86MMCCE=

q6RTBmJkmy5pWTmmCCrvmuCDPw==

mQS26DojT+EQXEGd

sjHQ+Kav2Wx9FeodsZg=

JA24UKnTA5re1LhcQaVo/w==

Targets

    • Target

      RFQ No. 980007 & 983185.exe

    • Size

      239KB

    • MD5

      a9ee4f66b0686b6696d2853667da9c18

    • SHA1

      6c4ec8743ac76cd05fc33ba3d05e82c47d87ecce

    • SHA256

      05740669c4c15fd382ace1ce3a03d78ad0bbd9b1dafa5d22d13fea990e07e65b

    • SHA512

      d222a4cc4ea8b89b6aa66eee2f2ee0510cae392e15b04945e75baf3db7302ff9e9b8d063dce021096b539e26c26ea3478ecb4d17f3d763ff1f60a98e9c6a20c9

    • SSDEEP

      6144:xBnYpMnlMPjMn6m3AWilyG6M2abL9cBjr8Jiw:UpglZ6m373G6M2alc9AJX

    Score
    10/10
    formbookm5oeratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks