Overview

overview

10

Static

static

1

Outstanding SOA.exe

windows7-x64

10

Outstanding SOA.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Outstanding SOA.iso

  • Size

    400KB

  • Sample

    221216-rvqlfaeh42

  • MD5

    46de6e3ccac76d6d9c4c3e4919b7e135

  • SHA1

    6160a57b6d276e5277415dae6f657078d7f6065f

  • SHA256

    f77ffc2cd499f6b74149242e2a0e5694a9f684afbd1e335f9d3545e6c3a40651

  • SHA512

    6e197bc023b731e7bc59585beb6938ac2b3c5411c541aa0af5c723b96dd4f14cde200e6c84730098058102057a46678df9c9be73223853493c7727a7bb65d5ba

  • SSDEEP

    6144:Qkw5Ozbc0itHVpknYIuGGzQe+rnqLG529GmuVyvp0csCAFSu:WoyBMnYYHHb29BuVyvqh

Score
10/10
formbookscsepersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

scse

Decoy

SKpYFyVNT2zunKf0uuM=

FlEHUseI7I5XbrO8fR/XBcS9ZA==

FPuxoUOxkLiATugw

VKdxsDSk0jdT5Kw=

FpqHf9iI/1tl97E=

YGI6sIl3UIxfZvlD+JiUuuLR

oBAEO0suBEAD5aK00A==

RKJqTzg4gQ/Q6DYSuTjDGkwuyl0ik5Kb8w==

VFg9s3W0/Ype8A3cZb+D7g==

hwD+VNd6014nrsaTWm4FBcS9ZA==

zkAdUq1soKYUfZaTqLmL

XVQ9WbRivUIQ477a/hKv+g==

QireF2geizAwmp674AGc5g==

PSTUQxs6j8OATugw

LHJhyy2VbX8NEqf0uuM=

MiY1vg6T3HqATugw

wqkUjaVXnGgBqA==

jUr/eUtSIT01Wegt

PjQidcqKzAbSZICUZb+D7g==

OkAmcv12sUEAIHwFHakzdIo2FPHw

Targets

    • Target

      Outstanding SOA.exe

    • Size

      339KB

    • MD5

      301addb86ca3c942e69305684bf5c91f

    • SHA1

      5ba7b078b5c4f83582f4b5fab738d2bc40b3caac

    • SHA256

      2c57f3f9227d165321ad3ec29060b58358f3e95968cc1b4b6eff7eb978a993d1

    • SHA512

      119d0d4a47a7dc8a2c6e823a706c5c93c6a3b746d6ac97f4fc1889133b42ac8bb191386bf71c3a299d92b63d87a24031c7a3aa339b7e18f67fe571d723e2dd4b

    • SSDEEP

      6144:9kw5Ozbc0itHVpknYIuGGzQe+rnqLG529GmuVyvp0csCAFSuH:toyBMnYYHHb29BuVyvqh1

    Score
    10/10
    formbookscsepersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks