Overview

overview

10

Static

static

3

MajorRevision.exe

windows7-x64

10

MajorRevision.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    MajorRevision.zip

  • Size

    263KB

  • Sample

    230515-q2t2rsea7t

  • MD5

    9291d9163cab80c9242879edc953e682

  • SHA1

    19eb9e1a2183a1adb66c2fa1931324f955a94b12

  • SHA256

    e3ec495aaad03bf794158b4503c20f8794614c960288fc6f6343ab174d213bf7

  • SHA512

    883f1abed42b33fcf4f2b7d6a8fdef966a606c181bcf73e2d036909075b663234a20bd98cf6059c29be8e78d0bb3c43031e7e4a479a207907f8a81f09a4b27b8

  • SSDEEP

    6144:F1Dgy1ZHuv1Hz2GM39bdOuGJnAJ7obJKANBEBP8EX8TrOjtE7cniwXHpEUocJsHM:FJlHK1HIGnJnAJ7obJKANBEB0LTrOJEA

Score
10/10
formbookm82ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m82

Decoy

jamesdevereux.com

artificialturfminneapolis.com

hongmeiyan.com

lojaderoupasbr.com

yit.africa

austinrelocationexpert.com

saiva.page

exitsategy.com

chochonux.com

klosterbraeu-unterliezheim.com

byseymanur.com

sblwarwickshire.co.uk

brazimaid.com

ciogame.com

bronzesailing.com

dwkapl.xyz

022dyd.com

compassandpathwriting.com

alphabet1x.com

selfcleaninghairbrush.co.uk

Targets

    • Target

      MajorRevision.exe

    • Size

      348KB

    • MD5

      93b2754b3afa34b828cb071f036a8d31

    • SHA1

      db5fe2d1ac4bebb309b76dfa01dd6024152d8963

    • SHA256

      42dc8c1b59e676d065485a22fb11939ad1eac5114d0aba1e841cc404ebc08305

    • SHA512

      627109227413f4caa4390a203a6cac2a526656f7a7cd2bb8dbafc6ede6f6af4f7646a19c67a30568374e331c2671286244482c9d44416069997838876bae4db4

    • SSDEEP

      6144:AKWU8NrrXs+WsHmwZTbiDXRGgXn7jto/miDSEMZGlEjqZSHeQbn:AU8pIdxn7jevD1XM

    Score
    10/10
    formbookm82ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Command-Line Interface

1
T1059

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks