Overview

overview

10

Static

static

3

ce49deb9dd...3e.exe

windows7-x64

10

ce49deb9dd...3e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ce49deb9ddf2f3492e74cd693058553e

  • Size

    483KB

  • Sample

    240316-rv2zgach2t

  • MD5

    ce49deb9ddf2f3492e74cd693058553e

  • SHA1

    7709baccd7f7febc97e72b406b2d019c268f53e7

  • SHA256

    27cab0dcde13177702aa27e40a1fa8a3ed4a1018b0611ddec73be096005decde

  • SHA512

    1c14202f2f2332c68ad26a08adac4a46470f7bf567ca01c14f04532b1d53249c04fc033e99dd58c8e0b1b1016814af1662e2151840d48355943638d960033068

  • SSDEEP

    6144:vIFhuSYWFYgrKsUc3y2WnO1xzcWmZXe2rkwnbo60T21BOcCSrYDEgfje5ig1ef9U:ih8Mz+sv3y2N1xzAZprkmuN/SD5iKefy

Score
10/10
formbookowpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ow

Decoy

piavecaffe.com

jlxkqg.men

lifesavingfoundation.net

karadasama.net

michaeltraolach-macsweeney.com

thunderwatches.com

serviciocasawhirlpool.biz

c-cap.online

itparksolution.com

clarityhearingkw.com

wpgrosiri.date

colemarshalcambell.com

webperffest.com

adjusterforirma.info

buildersqq.com

spiritualwisdominindia.com

111222333.net

traditionalarabicdishes.com

hmlifi.com

receive-our-info-heredaily.info

Targets

    • Target

      ce49deb9ddf2f3492e74cd693058553e

    • Size

      483KB

    • MD5

      ce49deb9ddf2f3492e74cd693058553e

    • SHA1

      7709baccd7f7febc97e72b406b2d019c268f53e7

    • SHA256

      27cab0dcde13177702aa27e40a1fa8a3ed4a1018b0611ddec73be096005decde

    • SHA512

      1c14202f2f2332c68ad26a08adac4a46470f7bf567ca01c14f04532b1d53249c04fc033e99dd58c8e0b1b1016814af1662e2151840d48355943638d960033068

    • SSDEEP

      6144:vIFhuSYWFYgrKsUc3y2WnO1xzcWmZXe2rkwnbo60T21BOcCSrYDEgfje5ig1ef9U:ih8Mz+sv3y2N1xzAZprkmuN/SD5iKefy

    Score
    10/10
    formbookowpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks