Overview

overview

10

Static

static

PaymentCopy121922.exe

windows7-x64

10

PaymentCopy121922.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PaymentCopy121922.exe

  • Size

    733KB

  • Sample

    221219-kkaznshf4v

  • MD5

    05271d119938959aad2d32404ef0d9cf

  • SHA1

    1409bf13515044a066e694493182b7405ea6efaa

  • SHA256

    6ff54e94c6557ae213d67159c8c8bbdc84079801ba263631f9c7a798f660eaad

  • SHA512

    e313a4313611c66104563cc3dde78dd9869a5b5070082b3d859bdb96b493fdc2fdbab4014baa3ecc7196b3d44c6842f2f1f5b943e119ac316872bbaed911ec15

  • SSDEEP

    12288:5xx2cHss/S+PsN2/fFac/uL9eEhkAEZC4Gf3acHVNc42xtAq:rx2cHs6SqHdaOuBEZC4u37Vm42nAq

Score
10/10
formbooksnkyratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

snky

Decoy

AiMFvkl6+A4HEgZ99q5x4naN7lGmvJo=

tvj/KUTKeKgxszIemQ==

DTrTokBrjB5leF4=

tPeTOuIjJPtH

taxtMdIygEdpskxzOQ2ZjoAEeA==

CxLuaKAFRrJyuIqQUPbhZw==

Tn4fapT5kPmk1H0gpXQ=

h5p8hDqGSiRzdSbV

i3lg8tbRNRU6jC9pQSOxzHYZgpbnOKBx

EwbfBo6m+UXU2qaVUPbhZw==

WpeenFSMquJ3xXD1/b43

niV5qTFu3tfmcgrI

fqyyyElbdxWswJ7A

Lh7o92ZOr4ghbwvK

Y2RYMDue4x+KszIemQ==

lN3Y3z5AS85eah1MDvfFQQA=

uq+Oqh8MNRxHOOkqA9lqYEZZhJU=

FEtGDeGnnRoSQEM=

TkMlruotvsmtpFwg6shr03LjwMWGow==

7PGx8hNMep8EMj5Q39dsq16IbbaIrA==

Targets

    • Target

      PaymentCopy121922.exe

    • Size

      733KB

    • MD5

      05271d119938959aad2d32404ef0d9cf

    • SHA1

      1409bf13515044a066e694493182b7405ea6efaa

    • SHA256

      6ff54e94c6557ae213d67159c8c8bbdc84079801ba263631f9c7a798f660eaad

    • SHA512

      e313a4313611c66104563cc3dde78dd9869a5b5070082b3d859bdb96b493fdc2fdbab4014baa3ecc7196b3d44c6842f2f1f5b943e119ac316872bbaed911ec15

    • SSDEEP

      12288:5xx2cHss/S+PsN2/fFac/uL9eEhkAEZC4Gf3acHVNc42xtAq:rx2cHs6SqHdaOuBEZC4u37Vm42nAq

    Score
    10/10
    formbooksnkyratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks