Overview

overview

10

Static

static

1

77ed29ab8a...a6.exe

windows7-x64

10

77ed29ab8a...a6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    d0c1e2d3400adbc801fb564688620041.bin

  • Size

    685KB

  • Sample

    230316-gtt75abf3y

  • MD5

    35f78525e35df5a94be773b2a363b0c9

  • SHA1

    dde637b8a3ebab6ae31222a42502af095b048218

  • SHA256

    7ceddb9d23c536b2d5d9c4d57cc24aa764944db16f62b8db871db41f34e22be6

  • SHA512

    ee61bde34101ff647989e126d68d7b9cdb42caed13042f4e27587fc353aded7b763022e76a67dc2f984b507a50dd2d1752127f8013b2b2f1818f69455165d7f6

  • SSDEEP

    12288:WTwLqQknE60unjAA4AeT/IG0Q+YhH2QNnV7FBCEIP1jbucnDXPDHwRD7Icd:WTwLqNW9NMG0Q+KWketjzDH2gcd

Score
10/10
formbookh3scratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h3sc

Decoy

seemessage.com

bitlab.website

cheesestuff.ru

bhartiyafitness.com

bardapps.com

l7a4.com

chiara-samatanga.com

lesrollintioup.com

dropwc.com

mackey242.com

rackksfresheggs.com

thinkvlog.com

aidmedicalassist.com

firehousepickleball.net

sifreyonetici.com

teka-mart.com

ddttzone.xyz

macfeeupdate.com

ivocastillo.com

serjayparks.com

Targets

    • Target

      77ed29ab8aa9da3669874c3f49e81c581105a981e8537a78382dc69e043943a6.bin

    • Size

      762KB

    • MD5

      d0c1e2d3400adbc801fb564688620041

    • SHA1

      499c664b4170c484c661286d02135186ae5e77f8

    • SHA256

      77ed29ab8aa9da3669874c3f49e81c581105a981e8537a78382dc69e043943a6

    • SHA512

      28a8dde829add33a2550e668461e2b1899982ae49c9733dc29118a2ce8bcff8903924049fcb964e6b6faee41b303c49decda52de9c08b6349d2dcc16c08a9c74

    • SSDEEP

      12288:ZCvwk/wjZBHYBcLnCdP9+V7ywfxxM+fd6BVvhazSUQxHIugLrxhS/ESBoYXJGRTw:ZCvwIkBaf+RTG+fdifRFgLjS/7nJT

    Score
    10/10
    formbookh3scratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks