Overview

overview

10

Static

static

3

Invoice copy.pdf.exe

windows7-x64

10

Invoice copy.pdf.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f3298ef809962d972156b31709e10d4af7ab11c9ea3e2ce3412f052bf9784d26.r00

  • Size

    588KB

  • Sample

    240419-cmm31sdh34

  • MD5

    edf46e0240a7993d532633a83af664b6

  • SHA1

    653317c37f159144151288716af4a4702eb041f9

  • SHA256

    f3298ef809962d972156b31709e10d4af7ab11c9ea3e2ce3412f052bf9784d26

  • SHA512

    53c5bd21291de66ff0a534ef5676ea4998f0ba72c57fc7c3f0efde5eaf14f7554daed0e3371a5e7f474ccdc5ac38e0f405d9c16433976260f1b083ca914740b3

  • SSDEEP

    12288:FL9IVWGjXFZEIa7FtDlIBKL0vzQ7EmCzC28H0hEuAOTIG8HYaPDBEw17Z:FLWVW4fEt5tDl1LZRCzC28WpHEGUJlEY

Score
10/10
formbookfs83ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fs83

Decoy

blastol.space

tomwalkerisfalco.com

us-sumatrraslimbellytonic.com

drywallandpaintingservice.com

vntapp.net

passportpages.site

at-mim.com

yeondagoods.com

teomanyildirim.com

paygame.site

senze.art

alhandco.com

9831bsej.xyz

traumatic.xyz

sos-soutien.com

thetechnolgy.live

washing-machine-46612.bond

marvsneakers.com

shequbaike.net

xc4f35fg4h35fg4h53.top

Targets

    • Target

      Invoice copy.pdf.exe

    • Size

      608KB

    • MD5

      49e038fcffc683c025060ca5610e0ad3

    • SHA1

      20007286f125b0f2dbd097000c1c3cd014372d1e

    • SHA256

      37fd7b8035bd49b8dfad405a793428dda8cbf623de0133818756d05a1191d8b7

    • SHA512

      18656778b3924b0eb02547d32bbf8949cda4b7734b2c94f95a1117f75bdc526d58bdec344bcfeff94ba14cfbe6bd2fa919288eecccb0d1d62d0b54a16384926f

    • SSDEEP

      12288:7WkV9mUBhIooC3jjSc6bun4f8vNN3JRSA/DGzf9JEMWI:7WkV9mGuqzjSc6bkzN5RL/Ub9

    Score
    10/10
    formbookfs83ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks