Overview

overview

10

Static

static

3

d93058ce47...98.exe

windows7-x64

10

d93058ce47...98.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b029c4194a0b8042d002922a1d2679da5a3d560629e890078a104ca0d461bf5b

  • Size

    595KB

  • Sample

    240417-rsefdsdd3v

  • MD5

    bb041a29add831b0f3e1f978a9127b6f

  • SHA1

    66ee5d797a5b502f3d747e40c7db2552a4897f8b

  • SHA256

    b029c4194a0b8042d002922a1d2679da5a3d560629e890078a104ca0d461bf5b

  • SHA512

    b077f01fbf342de31550b2f4bbc2fb284400d5a5826ae991d9b7b514913b0601c31653fb5d9010411bdc0aae48ad28b2b445906447f7363bec62ecfdf62f9f52

  • SSDEEP

    12288:YOZEJElzXQmSsRAVElD0liAkSiWsK9H5TivvRLbssXaRc9:YOZDtQmf+A4iNWrTsWG

Score
10/10
formbookpz08ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pz08

Decoy

deespresence.com

fanyablack.com

papermoonnursery.com

sunriseclohting.store

jenstandsforarkansas.com

lkhtalentconsulting.com

baerana.com

hyperphit.com

davidianbrant.com

itkagear.com

web-findmy.site

liveforwardventures.com

skyenglearn.online

studio-sticky.store

yassa-hany.online

tacoshack479.com

bigtexture.xyz

erxkula.shop

go-bloggers.com

qwdlwys.site

Targets

    • Target

      d93058ce47215773bfed7fc6a36c4991a4d3278ce71cfd6ec23d0c3b74566798.exe

    • Size

      648KB

    • MD5

      b44c4a259319f20aed7c92bf63e38925

    • SHA1

      ba2ec96325e0927dd4f7fd22c8038964f2a69f4b

    • SHA256

      d93058ce47215773bfed7fc6a36c4991a4d3278ce71cfd6ec23d0c3b74566798

    • SHA512

      23b74f84fc0cff7a3b31d465cc3a36963fb6d87d5a775eebc6f204bd4ac4ba6ac90537780bf43a5cab49417d371038e039da63a6e560b5be804571e5114f0b6d

    • SSDEEP

      12288:BM61jp2g3Wwr/PaDhDOKNIfTzi+mZZUAzb5I4yGlhA2/cMYtn9O8eIC1GFBSV/T:Hp2edeOKNOKxdIshA1ze

    Score
    10/10
    formbookpz08ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks