Overview

overview

10

Static

static

1

Justifican...ia.exe

windows7-x64

10

Justifican...ia.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Justificante de transferencia.exe

  • Size

    324KB

  • Sample

    230322-krk38afh38

  • MD5

    89c1af7470bf3a699a914a62a7a37c1f

  • SHA1

    75112e7df02461e8dc0266d6a147959b2ae3701c

  • SHA256

    c036bf9593241c5ba0f2a7d38b6ff8099344e4b17a758ff64b145f2329256415

  • SHA512

    fa4ef030ff88c36e4028fc22e7e285383f38d73ec5b36f06bf4f087d84a55dbf72ad8e79d279deecac3181c71b239549c023e27e529cc57c3d46bd4a46971ba6

  • SSDEEP

    6144:nQ606xUAK/TxV595DDV6v/bGj5Yb7T/lZNG5isZ/UTUNsKn8sFLZJFJJWkFx:k3LJZ6HbGjQLZiU1sFdHnWkFx

Score
10/10
formbookguloaderbd16downloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bd16

Decoy

fjosephsolicitor.co.uk

itworx.store

firstlinebeefits.com

cadimaglobalservices.com

inclevin.com

kashmirimasale.com

charalambidis.com

homeliday.co.uk

joseguardiola.dev

wowmomofranchise.info

halongbaycruisestours.com

000217.com

dslt.xyz

careyinmobiliaria.com

ucankofteci.net

brisace.com

fastestcleaningservice.com

cornbreadnchicken.com

sizeable.app

labradordiamond.com

Targets

    • Target

      Justificante de transferencia.exe

    • Size

      324KB

    • MD5

      89c1af7470bf3a699a914a62a7a37c1f

    • SHA1

      75112e7df02461e8dc0266d6a147959b2ae3701c

    • SHA256

      c036bf9593241c5ba0f2a7d38b6ff8099344e4b17a758ff64b145f2329256415

    • SHA512

      fa4ef030ff88c36e4028fc22e7e285383f38d73ec5b36f06bf4f087d84a55dbf72ad8e79d279deecac3181c71b239549c023e27e529cc57c3d46bd4a46971ba6

    • SSDEEP

      6144:nQ606xUAK/TxV595DDV6v/bGj5Yb7T/lZNG5isZ/UTUNsKn8sFLZJFJJWkFx:k3LJZ6HbGjQLZiU1sFdHnWkFx

    Score
    10/10
    formbookguloaderbd16downloaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Formbook payload

      rat

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Loads dropped DLL

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Tasks