Overview

overview

10

Static

static

pl2.exe

windows7-x64

10

pl2.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    5be556a2-14fa-4f52-8395-f6a8bd57c523.zip.unsafe

  • Size

    187KB

  • Sample

    221216-tdcpcshg7w

  • MD5

    a82c49e5a5ef7820a600d18ee112e2b0

  • SHA1

    0b55c5a2cc58cc813c6f208309f9f8f3a7c1d0ac

  • SHA256

    52900803e3f58b611e5f7160be064d84a08e4ac78b03440647f618732a55bf56

  • SHA512

    52259e83d2d5d3fc4d42f6f9584c26544298305b2c4e04e3a421c4c591f295a8d8b7ede6d2d2361b1fb0acdfee1a409c357f98515cc9fa12228ff3c27b55b8f7

  • SSDEEP

    3072:/O32ACmYZurqlP9216UVWUW6wFmx0mbl4FazRzs8KNpBoZnK/fmjVE2if0k2d+2Q:M2ATmurQK6Uw67BRslB4naFMk2doL

Score
10/10
formbookguloaderd06cdiscoverydownloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d06c

Decoy

douglasdetoledopiza.com

yxcc.online

primo.llc

mediamomos.com

cosmetiq-pro.com

22labs.tech

turbowashing.com

lindaivell.site

princess-bed.club

groundget.cfd

agretaminiousa.com

lomoni.com

nessesse.us

lexgo.cloud

halilsener.xyz

kirokubo.cloud

corotip.sbs

meghq.net

5y6s.world

weasib.online

Targets

    • Target

      pl2.bin

    • Size

      266KB

    • MD5

      f919de1034edc7b8a4a5a8aa8f0067dd

    • SHA1

      ce50421738d5fb3108fe147dfdea5733fb01e19e

    • SHA256

      81ce31f6f3cd9a6a6037c411a1485bee35eaa93965fc6ccc2bd857c991fcad90

    • SHA512

      946fafde24bf34a659d8df5bcd0db2ff3791b92c0fd36d96a9273436bbc75244cfb26cc9bf00d86370fc92d13d3e791905bc8f8fe97eb74e1ea3b556cd649b70

    • SSDEEP

      6144:MtXZXPanzcQUuLgsNG0BPspB4nAFmklJB:Mtsz5DLgsp5ngDlj

    Score
    10/10
    formbookguloaderd06cdiscoverydownloaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Formbook payload

      rat

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks