Overview

overview

10

Static

static

1

0ae7419909...56.exe

windows7-x64

10

0ae7419909...56.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0ae741990942bc5b9a51a72dc1cc9f2197b8fe140b76eee9170c3260c00e8656.zip

  • Size

    246KB

  • Sample

    230321-qrlmmscf9v

  • MD5

    2fee8aedfa383e872fc9756eb5af6f0f

  • SHA1

    edf9224010d242f85ec0dc646cf7f9dd0a94dfc9

  • SHA256

    bde74f5dfdff3c14df49343fa54fee3bc237e556213b05d9ee12d9bceb335f1a

  • SHA512

    b8432ddd10ec5907fd7a7a037ce439f7fdfc7fa776f7530936ecf8fa92de95c7c06f35360fc47715b44a5c3e401dd2408109d6d6d029175a949369bcfeaaff17

  • SSDEEP

    3072:hM+QSkxZnQdWBCspwV4eSwGsbV0VUlHHpLEUBkV9qP1mgj7JoI0iNSdsVKw1DeJp:28oRBCsDe1dVjxEUBkV9qPVYltwZeJp

Score
10/10
formbookguloaderms12downloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ms12

Decoy

familywealthsociety.com

hypnotherapywashington.com

top-promotion.net

tovber.xyz

guiadestudio.com

alibabas.international

campsitecredits.com

18370327105.com

yvhome.net

triknblog.net

limpiezasturisticas.com

khaivisuals.com

amyjohnsonrealtor.com

websponsorzone.net

cobblestonemineralslp.com

women-clothing-64680.com

houtme.com

404shadydale.com

laposadaapts.com

paparazirestaurant.co.uk

Targets

    • Target

      0ae741990942bc5b9a51a72dc1cc9f2197b8fe140b76eee9170c3260c00e8656.exe

    • Size

      261KB

    • MD5

      3f8f4a7f43b5627ed45128bb99f0b471

    • SHA1

      1c1931fe8db9b5df89d39e3121fa72c2a355ded1

    • SHA256

      0ae741990942bc5b9a51a72dc1cc9f2197b8fe140b76eee9170c3260c00e8656

    • SHA512

      800a88ff5985f832c73fbada7fa71175531dbe9bd47a93bc8941817e791d8868cfedd4dad2f82604ce06e1e2136821b963d35e23d580edf2d260475eb213ff6f

    • SSDEEP

      6144:4auq7FPth0P6iM7EFsjSHR58yQITE1vE1P57hO5FKHJa:HFPr0SirFjC1yP5NO5FKg

    Score
    10/10
    formbookguloaderms12downloaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Formbook payload

      rat

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks