Overview

overview

10

Static

static

3

3bd968f2cf...6a.exe

windows7-x64

10

3bd968f2cf...6a.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8a095903839b4d6973ef3c87862de7d7ff6741290758c44e3a278a24657a7e1c

  • Size

    583KB

  • Sample

    240417-qrr5esbb4t

  • MD5

    52a78ea9e398a74de99a62360c732881

  • SHA1

    418dd10f66a36006b6bab39ef3d8561c9752d526

  • SHA256

    8a095903839b4d6973ef3c87862de7d7ff6741290758c44e3a278a24657a7e1c

  • SHA512

    c3dc5a301b64fccca73f9d20053871b5075f0a57f7ab474dcd91d4dd3c3678332372019de0c22d00b57d0a75f150f0e272a84c66596b53053b305e4de6959a05

  • SSDEEP

    12288:Jwno9xltPWZ7aKCcRD1nU/efptkup7DnUcn9knOm0Al8iNckhBi:JYod0ZSCxTjNJAmmC

Score
10/10
formbookhy07ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hy07

Decoy

katemclaughl.in

worthyofficial.com

digitopia.click

ledmee.com

siwaasnz.life

ba-y.com

specifiedbuild.com

abandoned-houses-pt-0.bond

yesxoit.xyz

onlinemehrgeld.com

gosysamergoods.com

speakdontell.com

brokenequipmentsolutions.online

gruppofebi.cloud

adilosk.shop

supplierpartnerportal.com

wizov.dev

fast-homeinsurance.com

j88.vote

onamaevn.com

Targets

    • Target

      3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe

    • Size

      652KB

    • MD5

      26a38af05a6bdd23f047eb65fee67251

    • SHA1

      61633e621f7d7cdcca5936b27a18cfe7e5169aae

    • SHA256

      3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a

    • SHA512

      7d852f05e4377b77691c3c7517609b6bd12c96d0c5dfe0bb330974ff891731529c12da9a7d52ea0f4e526fd35ce35237bfe40d2099afc12f59e58f95157e16b9

    • SSDEEP

      12288:JCTYHa5WHBh2Izs6vHhIlvyuq7it546mz2p9:QTYNHU6vHKlvU7ij46mKp

    Score
    10/10
    formbookhy07ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks