Overview

overview

10

Static

static

1

ekstre_pdf.exe

windows7-x64

10

ekstre_pdf.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ekstre_pdf.exe

  • Size

    308KB

  • Sample

    230411-hlctjscf2s

  • MD5

    a37dc47f86e84e5d0d2e6414c3cd5272

  • SHA1

    7c9a14ff443cc5de805200d6bcc750d64fb4b677

  • SHA256

    5902402fafb4be22faca64535718137ce5afd70004a14657daa9e7c6c3240feb

  • SHA512

    5f7cae8e6dc0f6d35c56ec212943359d78ae792f6dcbd8eb5987c1d8e020c49befa23951788fda56550ca83b05a478c7fbbc0c6178c9b1830b6050741a7638a3

  • SSDEEP

    6144:XhtyHU2Gthj3FRzxZckklMg0GGOvGmADclkMo6xkHwQEel:Xh4G9NxWBZ0VOvGm+cpRxg/Eel

Score
10/10
formbookguloadermi94downloaderratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mi94

Decoy

realdigitalmarketing.co.uk

athle91.com

zetuinteriors.africa

jewelry2adore.biz

sneakersuomo.com

hotcoa.com

bestpetfinds.com

elatedfreedom.com

louisegoulet.com

licensescape.com

jenniferfalconerrealtor.com

xqan.net

textare.net

doctorlinkscsk.link

bizformspro.com

ameriealthcaritasfl.com

hanfengmeiye.com

anjin98.com

credit-cards-54889.com

dinero.news

Targets

    • Target

      ekstre_pdf.exe

    • Size

      308KB

    • MD5

      a37dc47f86e84e5d0d2e6414c3cd5272

    • SHA1

      7c9a14ff443cc5de805200d6bcc750d64fb4b677

    • SHA256

      5902402fafb4be22faca64535718137ce5afd70004a14657daa9e7c6c3240feb

    • SHA512

      5f7cae8e6dc0f6d35c56ec212943359d78ae792f6dcbd8eb5987c1d8e020c49befa23951788fda56550ca83b05a478c7fbbc0c6178c9b1830b6050741a7638a3

    • SSDEEP

      6144:XhtyHU2Gthj3FRzxZckklMg0GGOvGmADclkMo6xkHwQEel:Xh4G9NxWBZ0VOvGm+cpRxg/Eel

    Score
    10/10
    formbookguloadermi94downloaderratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Formbook payload

      rat

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks