Overview

overview

10

Static

static

lSQSMS1aatHclJP.exe

windows7-x64

10

lSQSMS1aatHclJP.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    lSQSMS1aatHclJP.exe

  • Size

    734KB

  • Sample

    221219-q6dkksab9v

  • MD5

    b5ecdb2b4c89d8b2111fef5112b3d59c

  • SHA1

    c7e446bbdd1a23d47e860f3bf029ab8fea3621af

  • SHA256

    033d52b01807172f9946d2c20c009df5c1a6a65ea153d75cc6e670d2151f79cc

  • SHA512

    0e102a230c2e3757e1e5f6e44af8bf14d6f866768d7054dd1f21793374ab6d8090d112558700fab87a31f5e2197fbb6cb215cad72b511a94526a1fcfe3015866

  • SSDEEP

    12288:8kMCVc1FDEC8oAc08NZ8OwESaDj3xvvn+EcVt8gnx2cHss/S+PHc42xtAq:pMGc1r8ooiYCj3xvv+9Yux2cHs6Sq84c

Score
10/10
formbookfqwuratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

fqwu

Decoy

N6XHavFRXQTRmNUkF9dn

EoaWTgFMmLFmUJ7CJNkTiGoj5A==

Dm+WNJDwSQa5cML3Q7EBiGoj5A==

nixR8ZCkOWjqrASBuic=

yvWQNApkdf4QYIih4+xUDY0=

RtmBQtDYDb50g8btXA==

8SU541y9Ec12NYK8PSOfA8OPpaphimY=

/yEvxvlAkquuY3W1QQ==

AlHZgYW4BiI9V+M=

YsHIUsAOO15j+9TnWA==

JJu1S7QIIMij0xUqlUtv

CmWBLrD98YnyUCCFvy0=

uPwhAVEvtu1rTuY=

PI6bR88GVGXmRlpxpKjtBpo=

GnL7qs9HVQAiF6ckF9dn

2zVeBFKZgO1rTuY=

2VI1VpOg7boCAFxvrWN3ys9rovE=

L1lO62zA2o1QEEZRQtgh7g==

brhF5dY1e3zmSyCFvy0=

U6m2TsEidTTdsA5kX8wh7g==

Targets

    • Target

      lSQSMS1aatHclJP.exe

    • Size

      734KB

    • MD5

      b5ecdb2b4c89d8b2111fef5112b3d59c

    • SHA1

      c7e446bbdd1a23d47e860f3bf029ab8fea3621af

    • SHA256

      033d52b01807172f9946d2c20c009df5c1a6a65ea153d75cc6e670d2151f79cc

    • SHA512

      0e102a230c2e3757e1e5f6e44af8bf14d6f866768d7054dd1f21793374ab6d8090d112558700fab87a31f5e2197fbb6cb215cad72b511a94526a1fcfe3015866

    • SSDEEP

      12288:8kMCVc1FDEC8oAc08NZ8OwESaDj3xvvn+EcVt8gnx2cHss/S+PHc42xtAq:pMGc1r8ooiYCj3xvv+9Yux2cHs6Sq84c

    Score
    10/10
    formbookfqwuratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Tasks