Overview

overview

10

Static

static

3

2f63ebbdab...9d.exe

windows7-x64

10

2f63ebbdab...9d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    632d0b1d1be228f96b34300b650b2ef7.bin

  • Size

    515KB

  • Sample

    230514-bveaeaac29

  • MD5

    a0f466690c5c6a399ef1af46982c6034

  • SHA1

    df86c60676aee89685d89e0b2a7cadc0e7c2ca17

  • SHA256

    f2438fed82945c1600bf03ec36014cc60835c2ab1db4accd556d8254cd82c5f3

  • SHA512

    ca07b07184ddbb83b87b48a9fc18f0cae2995d08cfbb206b282be57f544278d6f57e309a0df261dee24138b076e9fd24d4afaad1a52f07a727af209499a52798

  • SSDEEP

    12288:c1ge9keDDWEFsgI99i09p580sh+V3j/nGJObLfXqop:AnuDEyziKCg3LGIb6op

Score
10/10
formbookm82ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m82

Decoy

jamesdevereux.com

artificialturfminneapolis.com

hongmeiyan.com

lojaderoupasbr.com

yit.africa

austinrelocationexpert.com

saiva.page

exitsategy.com

chochonux.com

klosterbraeu-unterliezheim.com

byseymanur.com

sblwarwickshire.co.uk

brazimaid.com

ciogame.com

bronzesailing.com

dwkapl.xyz

022dyd.com

compassandpathwriting.com

alphabet1x.com

selfcleaninghairbrush.co.uk

Targets

    • Target

      2f63ebbdab728b4add526836bbe063788228b48240179035db13f85b9836559d.exe

    • Size

      589KB

    • MD5

      632d0b1d1be228f96b34300b650b2ef7

    • SHA1

      aae7dfc3c8e2c719dcf30282e7967c203d787ba8

    • SHA256

      2f63ebbdab728b4add526836bbe063788228b48240179035db13f85b9836559d

    • SHA512

      355e203f449e28458afc636ab1eac14f789a0bff10d0bbda6db0a371c60f83af11be15dd5de8da1275e04f559590dbc8a487e2de5d0c7961ccde83c99e5cbfc9

    • SSDEEP

      12288:268whh2Y4YZrALAaR0nA0PpE3Jv5mxKjV7Yig38+UnFlPZl:h8whh26rtaR+KN9YigM+UnTZl

    Score
    10/10
    formbookm82ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks