Overview

overview

10

Static

static

Scannedfile.exe

windows7-x64

10

Scannedfile.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Scannedfile.exe

  • Size

    350KB

  • Sample

    230128-vzabssfd75

  • MD5

    56390adecfa92125980762fc0e8494a7

  • SHA1

    d3c4dde030bcfc33c66e3a4753da01ccab190395

  • SHA256

    e15ba8be78ecdfc804dba4fbce9e14eaef0d84ec4c9b82d5d8b109c64a566266

  • SHA512

    7c45d53f6e6d09aa227b51a52cf09be6e2cf1ad1ab0e5aef1eddbe321748dc1d1601a215952aa983f18774a0960c567a2118271a897869565c7d7f36a36ee45c

  • SSDEEP

    6144:vYa6Gwv4JbsquWe3Jf+vNUY88npcc90c72Z5X2uWRN:vYowvh02L8pJ0cP7

Score
10/10
formbookdcn0ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

dcn0

Decoy

ZVx68vDtAMBCwg==

oBMBvsNORkM/O/ox

Ff9pISWkm6eG4lByIspp

c2T42c6CIIF6B8xTxm9XzpVw

bvjhxRbnAC183w==

0lTttSNG4HUDNflyIspp

hPXFlstqiHA/O/ox

WLR+MeerxZ0cNn1ja+IQAYo=

IHRn4xXOVKi477zarG+ObSy7YJA=

Xhf3e+tdAC183w==

Xk0ZAezv2rWH

kngo+vBeSRN7AszNwam3Osmguuqc0MoC

a2Qp7a+E8fSw7LDjpnqEKjsRZA==

3zjy4E7+QM48wg==

YcCmqT3OUNAigVott2pBKiy7YJA=

4+SMeX1juat/5cZ1AZihcyy7YJA=

/+m7sro0OBTl3TMpCw==

i2ctEfe4//a64yklMsgS2J90

+loZ2QKGX0UWgpvErMs=

b9BNCnJWQJS8IfsR0uR3bCy7YJA=

Targets

    • Target

      Scannedfile.exe

    • Size

      350KB

    • MD5

      56390adecfa92125980762fc0e8494a7

    • SHA1

      d3c4dde030bcfc33c66e3a4753da01ccab190395

    • SHA256

      e15ba8be78ecdfc804dba4fbce9e14eaef0d84ec4c9b82d5d8b109c64a566266

    • SHA512

      7c45d53f6e6d09aa227b51a52cf09be6e2cf1ad1ab0e5aef1eddbe321748dc1d1601a215952aa983f18774a0960c567a2118271a897869565c7d7f36a36ee45c

    • SSDEEP

      6144:vYa6Gwv4JbsquWe3Jf+vNUY88npcc90c72Z5X2uWRN:vYowvh02L8pJ0cP7

    Score
    10/10
    formbookdcn0ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks