Overview

overview

10

Static

static

1

6fb6a2160d...af.exe

windows7-x64

10

6fb6a2160d...af.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    6fb6a2160d5ceeef3420d09b7156d35e403ba7098bc0bdcadc9e721de1b3d5af.zip

  • Size

    803KB

  • Sample

    230311-ptp76sbd9z

  • MD5

    d726bf1ffb7ea9230de3e0900d8463dc

  • SHA1

    c43c018e932819451d995c0efb2a8c091f252563

  • SHA256

    76d03562610a6bb9d1d35ca0635a7c3d863af4995ddc2c674789380d103e8a69

  • SHA512

    902b486ed56098229e5857dab53f47971841ea505dd5bb8d58e4cd5e46cae0add235c607e9790088cbc56b1ee88514e3054faacc262175ec988ea4e1e05dd5c4

  • SSDEEP

    24576:AVAgA7vNqXxn6vfjCmwRfp5PLCZB/Vjrhy:AQMXovZG7GdVc

Score
10/10
formbookh3scratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h3sc

Decoy

seemessage.com

bitlab.website

cheesestuff.ru

bhartiyafitness.com

bardapps.com

l7a4.com

chiara-samatanga.com

lesrollintioup.com

dropwc.com

mackey242.com

rackksfresheggs.com

thinkvlog.com

aidmedicalassist.com

firehousepickleball.net

sifreyonetici.com

teka-mart.com

ddttzone.xyz

macfeeupdate.com

ivocastillo.com

serjayparks.com

Targets

    • Target

      6fb6a2160d5ceeef3420d09b7156d35e403ba7098bc0bdcadc9e721de1b3d5af.exe

    • Size

      948KB

    • MD5

      72be1dd76472cba29a36135e882526fe

    • SHA1

      be4b041b0c21162e389f4a9a1620fda5e0050713

    • SHA256

      6fb6a2160d5ceeef3420d09b7156d35e403ba7098bc0bdcadc9e721de1b3d5af

    • SHA512

      67ed20a8ba6c464d2abccf06b6a1af5215645a8812672f39b499ae52419b361d74065ebcfe3f9fb933722969619fb17e298a53898551953b00bc5c620e5587bc

    • SSDEEP

      24576:jDKmIirBQVM3P06E+eaioYJjkVxOCAEzh:j2mIqq6fqBaioY2oCAK

    Score
    10/10
    formbookh3scratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks