Overview

overview

10

Static

static

3

7d08e32acf...ce.exe

windows7-x64

10

7d08e32acf...ce.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    381b35e5af5a4a41ab1e972a8d1fe85fd3c2a4fd9cc7131a48e85dc6663d8106

  • Size

    581KB

  • Sample

    240417-rswpnsbh77

  • MD5

    f1b3e7f1f60a664122bdc7b75c7535a7

  • SHA1

    7c9a3dea64562a6f8534aa454064cd9c3a54310e

  • SHA256

    381b35e5af5a4a41ab1e972a8d1fe85fd3c2a4fd9cc7131a48e85dc6663d8106

  • SHA512

    8348404433ca3f2e946b44bf1f025fe2bae219bedd4426140de22a89de7e512fa3b0785503e735a9dcdbd18f0cbd2b90377f1a54f125195cbd723cf98c3a5e8c

  • SSDEEP

    12288:1M3zrmglU8L6W3EC1mGUIadvSHxdfy7eQwKdEZUS8w0pzGH5:1MPmgi8t4bd6Hxl4wKdEaSr0pzW5

Score
10/10
formbookpz08ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pz08

Decoy

deespresence.com

fanyablack.com

papermoonnursery.com

sunriseclohting.store

jenstandsforarkansas.com

lkhtalentconsulting.com

baerana.com

hyperphit.com

davidianbrant.com

itkagear.com

web-findmy.site

liveforwardventures.com

skyenglearn.online

studio-sticky.store

yassa-hany.online

tacoshack479.com

bigtexture.xyz

erxkula.shop

go-bloggers.com

qwdlwys.site

Targets

    • Target

      7d08e32acf3a9ce5b471219b20d8c8c9bbe4fc03601f41b36291afdec86f39ce.exe

    • Size

      610KB

    • MD5

      180b88380b53eb6b0076ec80fa7b2528

    • SHA1

      9e3e6fa26b9321b47b0bd4c848aa84596629555b

    • SHA256

      7d08e32acf3a9ce5b471219b20d8c8c9bbe4fc03601f41b36291afdec86f39ce

    • SHA512

      fdeda60d179dc1fd6b24b8acde0dfc224d6c324f24c55952c89eab43c8cef353b46964bec6cd5266223155c431a7ff1273023827341c476cec45d5fdffbdbbb2

    • SSDEEP

      12288:jxEd6WXvOWEp/thwJ8P9LhlI/tm1qFFdXvr6k:jxc4p//w+PVhl8uqLdD6

    Score
    10/10
    formbookpz08ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks