Overview

overview

10

Static

static

1

0ae7419909...56.exe

windows7-x64

10

0ae7419909...56.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0ae741990942bc5b9a51a72dc1cc9f2197b8fe140b76eee9170c3260c00e8656.zip

  • Size

    246KB

  • Sample

    230321-rze1habb98

  • MD5

    8ebe1da75e5359964d1dcee4f91c9bee

  • SHA1

    8ef8e69329acf54f9451307a15e59c63fbcafde7

  • SHA256

    90b17c21b9f87c4bb5894ee0de441239a5e2c2eb2b6713675eb35f0ef096f577

  • SHA512

    b02fff71182c7c8e05a72dd2a837b5f18c1a256cfe1bdae53e1cf6af800b7393dee3eb1da55e6f1e0c4cfb13077ba1e84a89336cdea64fc36c0ee8178491be42

  • SSDEEP

    6144:VnJ0rq2xYGJ0/bndDGb90FCXoX3xEXG+1aaNDxuq:VJ0rqaYi+ndG68UhEW+JNtB

Score
10/10
formbookguloaderms12downloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ms12

Decoy

familywealthsociety.com

hypnotherapywashington.com

top-promotion.net

tovber.xyz

guiadestudio.com

alibabas.international

campsitecredits.com

18370327105.com

yvhome.net

triknblog.net

limpiezasturisticas.com

khaivisuals.com

amyjohnsonrealtor.com

websponsorzone.net

cobblestonemineralslp.com

women-clothing-64680.com

houtme.com

404shadydale.com

laposadaapts.com

paparazirestaurant.co.uk

Targets

    • Target

      0ae741990942bc5b9a51a72dc1cc9f2197b8fe140b76eee9170c3260c00e8656.exe

    • Size

      261KB

    • MD5

      3f8f4a7f43b5627ed45128bb99f0b471

    • SHA1

      1c1931fe8db9b5df89d39e3121fa72c2a355ded1

    • SHA256

      0ae741990942bc5b9a51a72dc1cc9f2197b8fe140b76eee9170c3260c00e8656

    • SHA512

      800a88ff5985f832c73fbada7fa71175531dbe9bd47a93bc8941817e791d8868cfedd4dad2f82604ce06e1e2136821b963d35e23d580edf2d260475eb213ff6f

    • SSDEEP

      6144:4auq7FPth0P6iM7EFsjSHR58yQITE1vE1P57hO5FKHJa:HFPr0SirFjC1yP5NO5FKg

    Score
    10/10
    formbookguloaderms12downloaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Formbook payload

      rat

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks