Overview

overview

10

Static

static

3

dc0ec426f7...68.exe

windows7-x64

10

dc0ec426f7...68.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dc0ec426f78537f85731709a0d276a68

  • Size

    477KB

  • Sample

    240321-tpeyvsfb84

  • MD5

    dc0ec426f78537f85731709a0d276a68

  • SHA1

    1a55b4e5ed212a025fd6ae5dcf5b9bb8c7400946

  • SHA256

    8d128a41b8b898b0bc1de35ea70d88b8a14e32aa705d0bbe817ed3d1e0c9c444

  • SHA512

    7fa87f3861fcf3afb17c99587e790e6b2e68733e57390c5b5452bfc89f624f824ed756ca72901d96a948e502c6e61a100ce0a6557b13c4848d011889def58474

  • SSDEEP

    6144:VJzKf/zmCja4qQmQCrcbnFuuUcTFx0T21BOcCSaa1MSSB6T1KpQcHCbhS:VJY1ja4qQ+rcbFudkuN/S/1MSSPQcHKg

Score
10/10
formbookfrpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

fr

Decoy

geturstuff.life

kisakollections.com

bkipmtahuna.com

aoxou.com

thebigandfreeupdates.download

utvtribe.com

icontoken.com

naturexperience.com

h2sentertainmentcafe.com

careerproresumepa.com

franchiseindia.directory

psychouniversity.com

traveng.com

mylifestylebyclem.com

greentmraelty.com

imoneg.com

lupusrebelacademy.com

ghqxc.info

lylulidbd.com

dalfreestyle.com

Targets

    • Target

      dc0ec426f78537f85731709a0d276a68

    • Size

      477KB

    • MD5

      dc0ec426f78537f85731709a0d276a68

    • SHA1

      1a55b4e5ed212a025fd6ae5dcf5b9bb8c7400946

    • SHA256

      8d128a41b8b898b0bc1de35ea70d88b8a14e32aa705d0bbe817ed3d1e0c9c444

    • SHA512

      7fa87f3861fcf3afb17c99587e790e6b2e68733e57390c5b5452bfc89f624f824ed756ca72901d96a948e502c6e61a100ce0a6557b13c4848d011889def58474

    • SSDEEP

      6144:VJzKf/zmCja4qQmQCrcbnFuuUcTFx0T21BOcCSaa1MSSB6T1KpQcHCbhS:VJY1ja4qQ+rcbFudkuN/S/1MSSPQcHKg

    Score
    10/10
    formbookfrpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks