Overview

overview

10

Static

static

3

3bd968f2cf...6a.exe

windows7-x64

10

3bd968f2cf...6a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    26a38af05a6bdd23f047eb65fee67251.bin

  • Size

    583KB

  • Sample

    240328-bhr1qsaa99

  • MD5

    065e7ab3b26d74f11f2605627aaaee29

  • SHA1

    256cd16bfdd33fa9547f20145d752d4fc1e93e1e

  • SHA256

    1cd7b732c7638b4d1816385e810e158dcc53650406b315c2035d8e416e4cf3a8

  • SHA512

    48fe0c377d2e06a7209c95f68d842291982f416728c677bcaaa2ba9d4c8536befe47a4e532490bc50cd6cd81682fc840a776bcb709673b5ee1c1f18566acc676

  • SSDEEP

    12288:zKIBkfRju4719kysH6Upf5759umswefYeqT46ye3dV2i6emI:7BkY0ds9PNsBK3T2JS

Score
10/10
formbookhy07ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hy07

Decoy

katemclaughl.in

worthyofficial.com

digitopia.click

ledmee.com

siwaasnz.life

ba-y.com

specifiedbuild.com

abandoned-houses-pt-0.bond

yesxoit.xyz

onlinemehrgeld.com

gosysamergoods.com

speakdontell.com

brokenequipmentsolutions.online

gruppofebi.cloud

adilosk.shop

supplierpartnerportal.com

wizov.dev

fast-homeinsurance.com

j88.vote

onamaevn.com

Targets

    • Target

      3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe

    • Size

      652KB

    • MD5

      26a38af05a6bdd23f047eb65fee67251

    • SHA1

      61633e621f7d7cdcca5936b27a18cfe7e5169aae

    • SHA256

      3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a

    • SHA512

      7d852f05e4377b77691c3c7517609b6bd12c96d0c5dfe0bb330974ff891731529c12da9a7d52ea0f4e526fd35ce35237bfe40d2099afc12f59e58f95157e16b9

    • SSDEEP

      12288:JCTYHa5WHBh2Izs6vHhIlvyuq7it546mz2p9:QTYNHU6vHKlvU7ij46mKp

    Score
    10/10
    formbookhy07ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks