Overview

overview

10

Static

static

3

nakliye be...df.exe

windows7-x64

10

nakliye be...df.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    nakliye belgesi pdf.exe

  • Size

    888KB

  • Sample

    240214-t8tlcsfg5z

  • MD5

    505103d52e7960ef145dcb886672daaa

  • SHA1

    abc357e0b0d1f3dab2a787a16eedf3b602ab9b03

  • SHA256

    e58c41cb6f52ea51c5a8945d096b0229d3b71a804fd8b3a6d3cdea374decec95

  • SHA512

    b8aa360d49c46b3145a9b8b6b1ba4905db1c74c372197a733a48e35d782ce7046e2b5e431924771e3656dcde5b72f73ecfffed1e0d0049f6aa29f28eb6ec1583

  • SSDEEP

    12288:gFoKhU4W/qh9fuoDJure02Zgzcel/Ai4wGllh50elrQTy:GoKmz/Fodu2gzTl/kDzlrQT

Score
10/10
formbookkmgeratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Targets

    • Target

      nakliye belgesi pdf.exe

    • Size

      888KB

    • MD5

      505103d52e7960ef145dcb886672daaa

    • SHA1

      abc357e0b0d1f3dab2a787a16eedf3b602ab9b03

    • SHA256

      e58c41cb6f52ea51c5a8945d096b0229d3b71a804fd8b3a6d3cdea374decec95

    • SHA512

      b8aa360d49c46b3145a9b8b6b1ba4905db1c74c372197a733a48e35d782ce7046e2b5e431924771e3656dcde5b72f73ecfffed1e0d0049f6aa29f28eb6ec1583

    • SSDEEP

      12288:gFoKhU4W/qh9fuoDJure02Zgzcel/Ai4wGllh50elrQTy:GoKmz/Fodu2gzTl/kDzlrQT

    Score
    10/10
    formbookkmgeratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks