Overview

overview

10

Static

static

1

Outstanding SOA.exe

windows7-x64

8

Outstanding SOA.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Outstanding SOA.exe

  • Size

    601KB

  • Sample

    221210-j7afzsfb48

  • MD5

    5b18fe7d9aa3fdcdec0d0932827f7b05

  • SHA1

    104e5d48286576742b08a760d208ce13ad141594

  • SHA256

    0f271e19f44c1a2535e2010c6c9d25cacfba120bd75fab85e01feebe961dd4c7

  • SHA512

    871820be64509b04dd7fd35d7e44204050801a9157836fc9ddfaedf83a1aa6d583bd0541753caa9b78e6b2c425e2e7487e5e223d5bcdcbb95d5b7bca0186db53

  • SSDEEP

    12288:1Z+9tvUmtBrASq86QaJZ76qIJgNhU3aHHI1S8WDcKEBkKmYu8gWd78rrYk3S:b+vvLo86QMZ7QQuoT8WYu8Rd78r8

Score
10/10
formbookscsepersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Targets

    • Target

      Outstanding SOA.exe

    • Size

      601KB

    • MD5

      5b18fe7d9aa3fdcdec0d0932827f7b05

    • SHA1

      104e5d48286576742b08a760d208ce13ad141594

    • SHA256

      0f271e19f44c1a2535e2010c6c9d25cacfba120bd75fab85e01feebe961dd4c7

    • SHA512

      871820be64509b04dd7fd35d7e44204050801a9157836fc9ddfaedf83a1aa6d583bd0541753caa9b78e6b2c425e2e7487e5e223d5bcdcbb95d5b7bca0186db53

    • SSDEEP

      12288:1Z+9tvUmtBrASq86QaJZ76qIJgNhU3aHHI1S8WDcKEBkKmYu8gWd78rrYk3S:b+vvLo86QMZ7QQuoT8WYu8Rd78r8

    Score
    10/10
    persistenceformbookscseratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks