Overview

overview

10

Static

static

1

103.133.11...f2.exe

windows7-x64

10

103.133.11...f2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.dat

  • Size

    333KB

  • Sample

    221209-qyfd7sdc59

  • MD5

    4c7135b466d0d97fe0dce29650ed97f2

  • SHA1

    fde47b76280185cd1d39e9d22aed3d8e0047814f

  • SHA256

    81276296b6d3afcded72b489d0d5b9c7e6e7a13569e3868f6c063489318d2a9c

  • SHA512

    bb0820a6ee336942a3a06da0cc2bdc49ea870cde63ff0972ce1559531e473c256590826bd6b4ac5afe913748a4b07d2a7a4be0b4b1d047a7ba5d416329aaa91b

  • SSDEEP

    6144:9kw5wnBY2pNRJapeMSZE2dcEtJI5WwYFJ0oPsMf48ZKXQm1s:YBfpf+eMSZ37keP0m1KX8

Score
10/10
formbookf4caratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Targets

    • Target

      103.133.110.147_-_OneDrive_-_csrss.exe___4c7135b466d0d97fe0dce29650ed97f2.dat

    • Size

      333KB

    • MD5

      4c7135b466d0d97fe0dce29650ed97f2

    • SHA1

      fde47b76280185cd1d39e9d22aed3d8e0047814f

    • SHA256

      81276296b6d3afcded72b489d0d5b9c7e6e7a13569e3868f6c063489318d2a9c

    • SHA512

      bb0820a6ee336942a3a06da0cc2bdc49ea870cde63ff0972ce1559531e473c256590826bd6b4ac5afe913748a4b07d2a7a4be0b4b1d047a7ba5d416329aaa91b

    • SSDEEP

      6144:9kw5wnBY2pNRJapeMSZE2dcEtJI5WwYFJ0oPsMf48ZKXQm1s:YBfpf+eMSZ37keP0m1KX8

    Score
    10/10
    formbookf4caratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks