Overview

overview

10

Static

static

3

d56e9061e7...b7.exe

windows7-x64

10

d56e9061e7...b7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c77b45b902fb66b1bda25f0c9f32c152.bin

  • Size

    608KB

  • Sample

    240327-eth4rafe4y

  • MD5

    73d5010ec747cb75d2792de09dfd5b10

  • SHA1

    098b39fac2e0b182403d1e42c75294822da5f96d

  • SHA256

    701fa689d6a4a6ae409e5e1cc427e1a46707090dea6a3efc446c72dcb42637d6

  • SHA512

    0cf60e5e888b81e66cddce33ed482c33a7ab89b9408b0c7271189196e8844e3e94f9e6dc9ce96f82913de49c237694d4111f566ec2bccb94e6c61108c84db6c3

  • SSDEEP

    12288:R3bfmPcXCHTr+/uMBNo/2EEgjK4dyAKI3GS+/7TEy0aBM0gB:Ff5XCzr0BNoLNK4hP+/FjgB

Score
10/10
formbookhy07ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hy07

Decoy

katemclaughl.in

worthyofficial.com

digitopia.click

ledmee.com

siwaasnz.life

ba-y.com

specifiedbuild.com

abandoned-houses-pt-0.bond

yesxoit.xyz

onlinemehrgeld.com

gosysamergoods.com

speakdontell.com

brokenequipmentsolutions.online

gruppofebi.cloud

adilosk.shop

supplierpartnerportal.com

wizov.dev

fast-homeinsurance.com

j88.vote

onamaevn.com

Targets

    • Target

      d56e9061e7f6df6e094d1582d817c381f8ce9ac6c3925cba5da96464487a18b7.exe

    • Size

      654KB

    • MD5

      c77b45b902fb66b1bda25f0c9f32c152

    • SHA1

      e17705713ede18731797bbfd7b5eb31a7ca52477

    • SHA256

      d56e9061e7f6df6e094d1582d817c381f8ce9ac6c3925cba5da96464487a18b7

    • SHA512

      61af84f112b704230a8f07ead38678e2e3052f55a86e8e7c8b480be2a0da03546801d03d328e663a6ba284ded71bba22bac3caf8365848b2e3e8abf8dfb2d348

    • SSDEEP

      12288:Td4CMwtBBGV/8nu3JKhuL3RlcYgbXvApn76bUtaj6b0jZEgVzvF7B5P9ylA:FBJu3FLBlcYEXvApn76bJ3tEAzvNDP4

    Score
    10/10
    formbookhy07ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks