Overview

overview

10

Static

static

SecuriteIn...21.exe

windows7-x64

10

SecuriteIn...21.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    SecuriteInfo.com.Trojan.PWS.Siggen3.24938.19146.12821.exe

  • Size

    970KB

  • Sample

    221209-mjxhdsch94

  • MD5

    13b2b2026b8f099fbb366c29288c3f22

  • SHA1

    d88b2101375f249288bd8060460f0c5874c8bc5c

  • SHA256

    60f594736fc96f0657680d022bd9b9117a4a7d08c1e80812b29d64fa69f814a3

  • SHA512

    e815486a563050a5deecb658e97be44166faf77620ac712182b5a27e96ecc54565fccbdc234cf929685348198db9aa3cdf284951bbbd5d9790e13ee06dcdf792

  • SSDEEP

    12288:GffyzF/GvWexBwO6pt0CKQ2BYj7yKBAhRLvO5pfslGyKMSMaGqsj0V1nedmVpFL:GffQexBSOCKxqjWC7kk8GGZj0V5NpF

Score
10/10
formbookf9r5ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

f9r5

Decoy

teknotimur.com

zuliboo.com

remmingtoncampbell.com

vehicletitleloansphoenix.com

sen-computer.com

98731.biz

shelikesblu.com

canis-totem.com

metaversemedianetwork.com

adsdu.com

vanishmediasystems.com

astewaykebede.com

wszhongxue.com

gacha-animator-free.com

papatyadekorasyon.com

mqc168.top

simplebrilliantsolutions.com

jubileehawkesprairie.com

ridflab.com

conboysfilm.com

Targets

    • Target

      SecuriteInfo.com.Trojan.PWS.Siggen3.24938.19146.12821.exe

    • Size

      970KB

    • MD5

      13b2b2026b8f099fbb366c29288c3f22

    • SHA1

      d88b2101375f249288bd8060460f0c5874c8bc5c

    • SHA256

      60f594736fc96f0657680d022bd9b9117a4a7d08c1e80812b29d64fa69f814a3

    • SHA512

      e815486a563050a5deecb658e97be44166faf77620ac712182b5a27e96ecc54565fccbdc234cf929685348198db9aa3cdf284951bbbd5d9790e13ee06dcdf792

    • SSDEEP

      12288:GffyzF/GvWexBwO6pt0CKQ2BYj7yKBAhRLvO5pfslGyKMSMaGqsj0V1nedmVpFL:GffQexBSOCKxqjWC7kk8GGZj0V5NpF

    Score
    10/10
    formbookf9r5ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks