Overview

overview

10

Static

static

1

Outstanding SOA.exe

windows7-x64

10

Outstanding SOA.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Outstanding SOA.exe

  • Size

    272KB

  • Sample

    221216-qaccmshe7w

  • MD5

    110f69d363cea079d6d0bdeff1bb838f

  • SHA1

    324be5674ea782a4eaf68b51b87fc61b0f894044

  • SHA256

    bdee6d7a7e7cc141bdb3fc0997cbb07b1a85016e23fd74eec044a5ca52ae5052

  • SHA512

    c035d86afbd3b548cd6bf08a57838db4735f090fcbb34555179a52ea9b1c377490a8e550a42b5bbcf0d47e0560af9bde920fb16849c16e9add9adaf4beb9baec

  • SSDEEP

    6144:9kw24wUoB7N3lbNKRmqdtK1jdACBqE5ObP8l5i:S4wU6N3xZq/2pAiqE5OkQ

Score
10/10
formbookscsepersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Targets

    • Target

      Outstanding SOA.exe

    • Size

      272KB

    • MD5

      110f69d363cea079d6d0bdeff1bb838f

    • SHA1

      324be5674ea782a4eaf68b51b87fc61b0f894044

    • SHA256

      bdee6d7a7e7cc141bdb3fc0997cbb07b1a85016e23fd74eec044a5ca52ae5052

    • SHA512

      c035d86afbd3b548cd6bf08a57838db4735f090fcbb34555179a52ea9b1c377490a8e550a42b5bbcf0d47e0560af9bde920fb16849c16e9add9adaf4beb9baec

    • SSDEEP

      6144:9kw24wUoB7N3lbNKRmqdtK1jdACBqE5ObP8l5i:S4wU6N3xZq/2pAiqE5OkQ

    Score
    10/10
    formbookscsepersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks