Overview

overview

10

Static

static

3

e58c41cb6f...95.exe

windows7-x64

10

e58c41cb6f...95.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    51932373854e1c5b342ac0ee59bc317686f8601a1c6e6b33521e750523310075

  • Size

    563KB

  • Sample

    240417-rra2ksbg59

  • MD5

    766af75da7bda22387938bbcb51f3cbd

  • SHA1

    26201de1d5c7587bc028764609c8ee43c43845f7

  • SHA256

    51932373854e1c5b342ac0ee59bc317686f8601a1c6e6b33521e750523310075

  • SHA512

    481de28ace688230f0d9206b74694547cd5e39d9488b20fde0679b5a39f909ab2dfc0c5118031b19bf203e9b89ae0af78b89f349919c210dc794dab964e965d6

  • SSDEEP

    12288:KpNxMnVy1hyNKNs0/knbCwZaQeP7VIT7VozyWQ28a:DnVyL0KOgknbOJITZN28a

Score
10/10
formbookkmgeratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Targets

    • Target

      e58c41cb6f52ea51c5a8945d096b0229d3b71a804fd8b3a6d3cdea374decec95.exe

    • Size

      888KB

    • MD5

      505103d52e7960ef145dcb886672daaa

    • SHA1

      abc357e0b0d1f3dab2a787a16eedf3b602ab9b03

    • SHA256

      e58c41cb6f52ea51c5a8945d096b0229d3b71a804fd8b3a6d3cdea374decec95

    • SHA512

      b8aa360d49c46b3145a9b8b6b1ba4905db1c74c372197a733a48e35d782ce7046e2b5e431924771e3656dcde5b72f73ecfffed1e0d0049f6aa29f28eb6ec1583

    • SSDEEP

      12288:gFoKhU4W/qh9fuoDJure02Zgzcel/Ai4wGllh50elrQTy:GoKmz/Fodu2gzTl/kDzlrQT

    Score
    10/10
    formbookkmgeratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks