Overview

overview

10

Static

static

1

E-dekont.exe

windows7-x64

10

E-dekont.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    E-dekont.exe

  • Size

    286KB

  • Sample

    230327-f6lk3sbh53

  • MD5

    7f453b503f828a474ca684b065498d01

  • SHA1

    b82a91e97e1c0a23b993db56f9f6049a96580b34

  • SHA256

    7cdb9e0fde39ad1578dbd905a88c8b6492a608349c0fed0c79879f5a086108e9

  • SHA512

    167c0afb30cd84f7a2980f1713012f5722b00a642977cb1c7d6f353698a8d74c11cfb367585d1a93b3ff4defee526017d71240bb1331baaf2169062e258f73a3

  • SSDEEP

    6144:hT5Uzm0s9s3LWwHCZwX+A6UXqc0LrWK5OcraEUq2YWPOjJlaq8+:hT55Ns3LNi+uAz6c0LrWSaxHmX8+

Score
10/10
formbookbe83discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

be83

Decoy

woodlandscancercare.org.uk

hosting-delightful.lol

bilpreco.com

diplomk-v-habarovske.com

dzgck.com

jsdappraisals.com

digitalnishant.com

bluevibesgift.com

wowchershoo.co.uk

eudoriaofficial.online

ourcampaign2024.net

barlogcode.com

calmingscents.biz

thewaterfallproject.africa

www-1911.com

cigapp.online

wooddroppers.africa

casmiya.com

haruminailbar.com

drivermindset.com

Targets

    • Target

      E-dekont.exe

    • Size

      286KB

    • MD5

      7f453b503f828a474ca684b065498d01

    • SHA1

      b82a91e97e1c0a23b993db56f9f6049a96580b34

    • SHA256

      7cdb9e0fde39ad1578dbd905a88c8b6492a608349c0fed0c79879f5a086108e9

    • SHA512

      167c0afb30cd84f7a2980f1713012f5722b00a642977cb1c7d6f353698a8d74c11cfb367585d1a93b3ff4defee526017d71240bb1331baaf2169062e258f73a3

    • SSDEEP

      6144:hT5Uzm0s9s3LWwHCZwX+A6UXqc0LrWK5OcraEUq2YWPOjJlaq8+:hT55Ns3LNi+uAz6c0LrWSaxHmX8+

    Score
    10/10
    formbookbe83discoveryratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks