Overview

overview

10

Static

static

1

PROFIL FIR...df.exe

windows7-x64

10

PROFIL FIR...df.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PROFIL FIRMY (MP TECH)-pdf.exe

  • Size

    610KB

  • Sample

    230509-hwrepagf2y

  • MD5

    4e6131a059e87569d9454a949c001c48

  • SHA1

    5bfd6dd345a337b6446ae3536b9714c6bc7420c2

  • SHA256

    5708134963ec09acd66b22cf1115ec458151bdb151b5ecdeb69cca55081acadd

  • SHA512

    7510aaeae70e1455afc650ea5b3d068761ae0884f778d1c134385b226abfdfec20644816cff23b71ca7cf2e82bc1ead5694345baf7cb716e5c55c432c1d9c3d6

  • SSDEEP

    6144:LUjRwLhHAz5eS/Yvaj1XWsM3MNtIpER5GmAqYnJ/zUR24FEBng4To8PoPSELaobH:Lq42FAoxMh2VnYnh2Y08P2LL9byI7

Score
10/10
formbookguloaderil07discoverydownloaderpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

il07

Decoy

lawofficeofchasearich.com

3332626f.xyz

wordpressbilimi.net

gdapp1.xyz

facebetter.online

koningmedia.africa

elitegaraje.com

lightingnews.ru

locationdarling.com

corrective.one

contamais.app

a2dzgm-bcx9.com

gyaanji.com

ibnuic.top

fsyiq3jp.com

dizirt.com

z3iucr5b35d.net

myfedloan.africa

dscovcorpoffice.info

ht80852.com

Targets

    • Target

      PROFIL FIRMY (MP TECH)-pdf.exe

    • Size

      610KB

    • MD5

      4e6131a059e87569d9454a949c001c48

    • SHA1

      5bfd6dd345a337b6446ae3536b9714c6bc7420c2

    • SHA256

      5708134963ec09acd66b22cf1115ec458151bdb151b5ecdeb69cca55081acadd

    • SHA512

      7510aaeae70e1455afc650ea5b3d068761ae0884f778d1c134385b226abfdfec20644816cff23b71ca7cf2e82bc1ead5694345baf7cb716e5c55c432c1d9c3d6

    • SSDEEP

      6144:LUjRwLhHAz5eS/Yvaj1XWsM3MNtIpER5GmAqYnJ/zUR24FEBng4To8PoPSELaobH:Lq42FAoxMh2VnYnh2Y08P2LL9byI7

    Score
    10/10
    formbookguloaderil07discoverydownloaderpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

      downloaderguloader

    • Formbook payload

      rat

    • Adds policy Run key to start application

      persistence

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks