Overview

overview

10

Static

static

3

fbcd47d1ae...7e.exe

windows7-x64

10

fbcd47d1ae...7e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    4c8ba76bd8fd57f5196d1e1795b243e542590b7a7f1a4de5a7aea14193ec9585

  • Size

    671KB

  • Sample

    240417-sad8caee5z

  • MD5

    2467c91dde1668b08a2bf578bc0c5467

  • SHA1

    803a4565f051fe494801f583a80d45a04b39d95d

  • SHA256

    4c8ba76bd8fd57f5196d1e1795b243e542590b7a7f1a4de5a7aea14193ec9585

  • SHA512

    6d1564b83f2fe1fd09929c4af447267a0dc5a59e1d8c69aff3f2c6b5010160748d2937ee36f072f8db5b28112590268a90e3f885689a61c33fa11997d58e4121

  • SSDEEP

    12288:Uuv6BgTS1S3AyODpz7+JRjbEcMcJD2tK5RjQJ4DgKnaF6KRoas:FYgT8SQy27+JRHEcFPE8gKnaEGor

Score
10/10
formbookgy14ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy14

Decoy

mavbam.com

theanhedonia.com

budgetnurseries.com

buflitr.com

alqamarhotel.com

2660348.top

123bu6.shop

v72999.com

yzyz841.xyz

247fracing.com

naples.beauty

twinklethrive.com

loscaseros.com

creditspisatylegko.site

sgyy3ej2dgwesb5.com

ufocafe.net

techn9nehollywoodundead.com

truedatalab.com

alterdpxlmarketing.com

harborspringsfire.com

Targets

    • Target

      fbcd47d1ae7422b87d525af8fb27fef6bf0946137d6e635e4be4adfd6a150f7e.exe

    • Size

      793KB

    • MD5

      fe134dfee844c4808941155c3fdfb4f8

    • SHA1

      5b57c3db2fc4c714efde7d59fe9c729c271f8148

    • SHA256

      fbcd47d1ae7422b87d525af8fb27fef6bf0946137d6e635e4be4adfd6a150f7e

    • SHA512

      a33536d9fd8d3a3b467fceedf8cf025618f8865dc360d196ef51950102a0910c74e5454e438a74216a581783ae3ba2d1cb692c1d772fb26690ce647e6ab42111

    • SSDEEP

      12288:A7XOThbddeh8V/iuL1a80K/NBjfTJMj+liHNQQ2J1+q+pwDb75Ks/JYOTPloZ14X:TThbdd7sy1oaDJMSlOQLeqNv3

    Score
    10/10
    formbookgy14ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks