Overview

overview

10

Static

static

3

e64a5a0e34...d6.exe

windows7-x64

10

e64a5a0e34...d6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.xz

  • Size

    552KB

  • Sample

    240213-ghlfvagg9v

  • MD5

    c48f37f0177729809b87e75064b0045b

  • SHA1

    64a8c6600c6ecc7c417f399fba404722184fe475

  • SHA256

    e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6

  • SHA512

    1dc3d778042d00a46355865e8bda8e0293e9133c23a8993e9196e6b438cf06e6bee00c317029c799f85fa1cc0ed4e1627bba18bdf6884faab1b5817c7a4f8746

  • SSDEEP

    12288:ljoq0EQMmDKYlMfkrPtBIGKw3f+92geREVJFbrUb6Ttes7xTrLXMCKf:h8M4KYycrPruo+NeILBZp7xvLXpQ

Score
10/10
formbookkmgeratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Targets

    • Target

      e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6

    • Size

      814KB

    • MD5

      8fc83cdc44075773ee401f010d2443b0

    • SHA1

      96cd91bb463dcb0f7b56e94bf2cb15d7dc8f63b6

    • SHA256

      220977b28fc847b8a2d7c65d3d19a3859e3e62dc5e19edaf4909965516a91694

    • SHA512

      12a5cf0ee3c995faf09f821e4f4db1bf4f50c5ead57e72bf6e518b38c4d14a020724698e0930ea515ddeb810464ab9c9a616e3c8cd0a7e82ce64ab58a614f597

    • SSDEEP

      12288:mj6mRlmDKClMfkrPEBuGKw3f+s2geR3VJ6wGllh5VelrQTydKp:m2a4KCycrPQIo+aePgDalrQTl

    Score
    10/10
    formbookkmgeratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks