Overview

overview

10

Static

static

91ef79825a...bc.vbs

windows7-x64

3

91ef79825a...bc.vbs

windows10-2004-x64

8

f919de1034...dd.exe

windows7-x64

10

f919de1034...dd.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    G.rar

  • Size

    184KB

  • Sample

    221209-cyal3afa5z

  • MD5

    aa62d654c6839aaca44274709cd134ec

  • SHA1

    bf0f62e041d06fa27592c89219708c1f7a6d2185

  • SHA256

    6351c69330812979b20ca0237dd523081e73bdec6b48c6a1bf8cac708b028ef9

  • SHA512

    8451ab099c9b10d505b42e7b00f6b9b0b37b675bb3c2e61d5ff21ef04611d91250bde43e24be554eb8b038797d3c478a88e3f97883f73201255c7342ac9eb4d1

  • SSDEEP

    3072:tqQbSC5ocPstFUfBYJLNnk+roy0tYqTgmm7lgq0hYMONvluBJmrEQRJQsazVx5:I0scU74cNnFYY1wqIYxlamrEQLmV

Score
10/10
formbookd06ccollectiondiscoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d06c

Decoy

douglasdetoledopiza.com

yxcc.online

primo.llc

mediamomos.com

cosmetiq-pro.com

22labs.tech

turbowashing.com

lindaivell.site

princess-bed.club

groundget.cfd

agretaminiousa.com

lomoni.com

nessesse.us

lexgo.cloud

halilsener.xyz

kirokubo.cloud

corotip.sbs

meghq.net

5y6s.world

weasib.online

Targets

    • Target

      91ef79825a38a6d9942f8963206785bc.vbs.vir

    • Size

      784B

    • MD5

      4304fd3c7c6532cb19e0f29773b5e253

    • SHA1

      333be879c7816ebc1417fad26953fc235e2cf2ac

    • SHA256

      0593fa1832103b3903a35bbfab6f0331cb9031b75afeff791cc7d331f5c2a028

    • SHA512

      faed7856e6f9e1933bd1730d1165c75e3dd12288fb7b5d9a3a6a2416efb5a592301aca98ce90562c59045d5f3e81b54c00d1afecc6634af85b330bd3c6ff2031

    Score
    8/10
    collectionspywarestealer

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection
    behavioral1behavioral2

    • Target

      f919de1034edc7b8a4a5a8aa8f0067dd.exe.vir

    • Size

      266KB

    • MD5

      a30c15bda927aeb2ff67b7bbc69aee4f

    • SHA1

      9664785694f1b27cd5a6972dd2451a0499d77dac

    • SHA256

      e86e7a5474975bd8099a89b34823da8d58195eb40f59d295b6d425a7763e2a1d

    • SHA512

      5b7fbe69ce2d0e30068770a8667934c429f7d081a2413cbc28ca952f7b3640f341a5f8ba7f4508624e45a081838ed7da8f7413257c441652e19a1f7757255c1d

    • SSDEEP

      6144:MtXZXPanzcQUuLgsNG0BPspB4nAFmklJ:Mtsz5DLgsp5ngDl

    Score
    10/10
    formbookd06cdiscoveryratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2
T1081

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Tasks