Overview

overview

10

Static

static

1

NR_ZAMOW.exe

windows7-x64

10

NR_ZAMOW.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    zaownienie.img

  • Size

    1.2MB

  • Sample

    230328-j2h6yabe7y

  • MD5

    47414ffe24b5698582788122b0160679

  • SHA1

    6771448f25d807ee18d8a1715e5fab11f9149738

  • SHA256

    9528017e989109cae2591f60299ef84b42f1eba732c24549ca000171a1edac85

  • SHA512

    7ec8fcbd174b240f64e5c2187a9bc321bfe3800828988f94b0a113b23fd83f6f32a978c35386ac770f6334a605f7c4067e336b87518807ffa864557f59993bb0

  • SSDEEP

    12288:GTMY1ltUnHhjgUciLJDrLmuychLXK8WE:GThtejgUci9DvgcM8W

Score
10/10
formbookil23ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

il23

Decoy

woodlandwoodworking.net

kitchen-deals-69155.com

hiddendia.xyz

xelaxaste.uk

sproutstrive.com

avlulu124.xyz

g-starnetwork.com

a-avdeeva.com

filmart.top

bustime411.com

besyor.xyz

joulex.live

christmastempjobsfinder.life

cxrh-official.com

themuzzy.co.uk

joshisarena.africa

dental4family.com

dietsandsixpacks.co.uk

innovativedigest.com

flyingphoenix.club

Targets

    • Target

      NR_ZAMOW.EXE

    • Size

      561KB

    • MD5

      abb44d8629dbbae4b307b638fa35c921

    • SHA1

      91b9b648dfcc9261d3c0135eea5c4a9da4e87985

    • SHA256

      55d12f1706d497912ee1c846004edea135577d7e2eb2246e9c439740be365643

    • SHA512

      c6226f1c6634e11a48c79668df2229d43476d6dec9351da239bf9da58500751e584dccf3eea2aba77e881b2eb9c8b116843b0cee5a7d2af21db0561c4e1661a2

    • SSDEEP

      12288:KTMY1ltUnHhjgUciLJDrLmuychLXK8WEu:KThtejgUci9DvgcM8Wh

    Score
    10/10
    formbookil23ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks