Overview

overview

10

Static

static

3

21037d3de3...a6.exe

windows7-x64

10

21037d3de3...a6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    21037d3de36ca089fdc638c7a3a09a00568d5d56e16aebdc2f30398e4eabffa6

  • Size

    625KB

  • Sample

    230515-c4hvmagg5z

  • MD5

    6ababfe9f98d833317f718c4d3d74145

  • SHA1

    03e660fe8bd44ae1301ec24bd115ed9637d18ba8

  • SHA256

    21037d3de36ca089fdc638c7a3a09a00568d5d56e16aebdc2f30398e4eabffa6

  • SHA512

    e355768fd84b7f8ba9db72bc5d8c3514c826f5bd1f36f87094f7679665022f5095296216c951a2a68378f6ab5fd8be74f6fff4d566eb367397e16921be8cdc16

  • SSDEEP

    12288:V0v9iQf9KqnAoDpcz/dJenAIQvNmpZiollSkz8+cZl5:VUNfbnHqz/+nAIDzl8NZl5

Score
10/10
formbookm82ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m82

Decoy

jamesdevereux.com

artificialturfminneapolis.com

hongmeiyan.com

lojaderoupasbr.com

yit.africa

austinrelocationexpert.com

saiva.page

exitsategy.com

chochonux.com

klosterbraeu-unterliezheim.com

byseymanur.com

sblwarwickshire.co.uk

brazimaid.com

ciogame.com

bronzesailing.com

dwkapl.xyz

022dyd.com

compassandpathwriting.com

alphabet1x.com

selfcleaninghairbrush.co.uk

Targets

    • Target

      21037d3de36ca089fdc638c7a3a09a00568d5d56e16aebdc2f30398e4eabffa6

    • Size

      625KB

    • MD5

      6ababfe9f98d833317f718c4d3d74145

    • SHA1

      03e660fe8bd44ae1301ec24bd115ed9637d18ba8

    • SHA256

      21037d3de36ca089fdc638c7a3a09a00568d5d56e16aebdc2f30398e4eabffa6

    • SHA512

      e355768fd84b7f8ba9db72bc5d8c3514c826f5bd1f36f87094f7679665022f5095296216c951a2a68378f6ab5fd8be74f6fff4d566eb367397e16921be8cdc16

    • SSDEEP

      12288:V0v9iQf9KqnAoDpcz/dJenAIQvNmpZiollSkz8+cZl5:VUNfbnHqz/+nAIDzl8NZl5

    Score
    10/10
    formbookm82ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks