Overview

overview

10

Static

static

3

60ac5027b7...a6.exe

windows7-x64

10

60ac5027b7...a6.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    60ac5027b75bb97069dd7e70aec097635551700b0c53405b2d516c28f50f7ea6

  • Size

    730KB

  • Sample

    240419-12qz8ahf41

  • MD5

    1f6fed36f46132055b8db68d46f3f136

  • SHA1

    4cf2d74d8c20ab34ce8ee3fbfe6988febef4ff3f

  • SHA256

    60ac5027b75bb97069dd7e70aec097635551700b0c53405b2d516c28f50f7ea6

  • SHA512

    f13e2068e4f12eef396fa77fb024980d43d1c082f5315b9747d6fa734413f016e800497e22e9b218075795d63dcd5cfe43e27ec76024ce878ce3f2c54474a521

  • SSDEEP

    12288:WGL21ILNuB2cWjoI1bv+A50XCjGtPGVm1jPfbDVW28Ro7uCkVj:XL21ILNuBrA1bv+JYGtOVmVHbDVW21uD

Score
10/10
formbookrt83ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rt83

Decoy

meritboardgame.com

yicex.com

jspay.net

attivastore.com

316junctionofficial.com

noahfernandez.com

misurda.love

odorheros.com

opendiablo2.com

thomaslirazanphotography.online

suitsingle.com

hojurg.com

fichaphr.net

tkacz.xyz

rwuluwi.top

myhomeopathicmedicine.com

seikatsuweb.info

vfds223.buzz

on8p2.lat

xst-pcb.com

Targets

    • Target

      60ac5027b75bb97069dd7e70aec097635551700b0c53405b2d516c28f50f7ea6

    • Size

      730KB

    • MD5

      1f6fed36f46132055b8db68d46f3f136

    • SHA1

      4cf2d74d8c20ab34ce8ee3fbfe6988febef4ff3f

    • SHA256

      60ac5027b75bb97069dd7e70aec097635551700b0c53405b2d516c28f50f7ea6

    • SHA512

      f13e2068e4f12eef396fa77fb024980d43d1c082f5315b9747d6fa734413f016e800497e22e9b218075795d63dcd5cfe43e27ec76024ce878ce3f2c54474a521

    • SSDEEP

      12288:WGL21ILNuB2cWjoI1bv+A50XCjGtPGVm1jPfbDVW28Ro7uCkVj:XL21ILNuBrA1bv+JYGtOVmVHbDVW21uD

    Score
    10/10
    formbookrt83ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks