Overview

overview

10

Static

static

3

e08cc96789...5f.exe

windows7-x64

10

e08cc96789...5f.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e08cc96789886667def8d2d72520d25f

  • Size

    477KB

  • Sample

    240327-cyh87saf23

  • MD5

    e08cc96789886667def8d2d72520d25f

  • SHA1

    cb7764cbd49da01a6b66553644fb3e84c70669d7

  • SHA256

    9ededd53a7b7f060dd6c315331fe8bd20c5c69d4dfe6ca1346b55405731381b6

  • SHA512

    7a49c1527307a81a9f6e04b02911bcae1da00d29e5110c76585132db5a657ba35ffa1fa32e6a100a6b7c5ad880b5a9453eb96f3bad527bc076571eb0b918f88f

  • SSDEEP

    6144:SJzKf/zmCja4qQmQCrcbnFuuUcTFx0T21BOcCSaa1MSSB6T1KpQcHCbhp:SJY1ja4qQ+rcbFudkuN/S/1MSSPQcHKP

Score
10/10
formbookfrpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

fr

Decoy

geturstuff.life

kisakollections.com

bkipmtahuna.com

aoxou.com

thebigandfreeupdates.download

utvtribe.com

icontoken.com

naturexperience.com

h2sentertainmentcafe.com

careerproresumepa.com

franchiseindia.directory

psychouniversity.com

traveng.com

mylifestylebyclem.com

greentmraelty.com

imoneg.com

lupusrebelacademy.com

ghqxc.info

lylulidbd.com

dalfreestyle.com

Targets

    • Target

      e08cc96789886667def8d2d72520d25f

    • Size

      477KB

    • MD5

      e08cc96789886667def8d2d72520d25f

    • SHA1

      cb7764cbd49da01a6b66553644fb3e84c70669d7

    • SHA256

      9ededd53a7b7f060dd6c315331fe8bd20c5c69d4dfe6ca1346b55405731381b6

    • SHA512

      7a49c1527307a81a9f6e04b02911bcae1da00d29e5110c76585132db5a657ba35ffa1fa32e6a100a6b7c5ad880b5a9453eb96f3bad527bc076571eb0b918f88f

    • SSDEEP

      6144:SJzKf/zmCja4qQmQCrcbnFuuUcTFx0T21BOcCSaa1MSSB6T1KpQcHCbhp:SJY1ja4qQ+rcbFudkuN/S/1MSSPQcHKP

    Score
    10/10
    formbookfrpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks