Overview

overview

10

Static

static

3

28be40acc9...cs.exe

windows7-x64

10

28be40acc9...cs.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    28be40acc961d0ea88cafb87d1d92c80_NeikiAnalytics.exe

  • Size

    705KB

  • Sample

    240519-yj9cqseg53

  • MD5

    28be40acc961d0ea88cafb87d1d92c80

  • SHA1

    6963b41056d86e808d0b173b6c0fe22d3d356c3e

  • SHA256

    365e3845893ef3305b44c24ffa21a6ef8718534c0e438e4d67c3b35ac87d2c9e

  • SHA512

    82a0e81d70ff03441c382e53ed4d7df07b4ccc37c1b512ce30f3bcb2c09fd067ba37b0b89ebcae18e9eaf210d86bef0978bf51111151d64227ea5de1179741a0

  • SSDEEP

    12288:rdrLbDZaNRp5H6ykhyMhHC5gxhWpGoX8lVB23TRLCKUPJSX4lDJ1:5LDZMRp5H6yk9gII8XmCKQwXWDD

Score
10/10
formbookqt22executionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

qt22

Decoy

tryventura.co

cashstash.online

keiramcwilliams.site

ytdnb558.com

huq.homes

ib999.cc

ivy001.com

militaryjobs.site

mfhospitality.net

landtour-outdoor.com

cosmicdustclub.com

ssskjv.com

bigremporium.com

network221.com

thegfshops.com

iase.in

alliednp.com

tprovenance.io

massimaidratazione.com

dominodarts.com

Targets

    • Target

      28be40acc961d0ea88cafb87d1d92c80_NeikiAnalytics.exe

    • Size

      705KB

    • MD5

      28be40acc961d0ea88cafb87d1d92c80

    • SHA1

      6963b41056d86e808d0b173b6c0fe22d3d356c3e

    • SHA256

      365e3845893ef3305b44c24ffa21a6ef8718534c0e438e4d67c3b35ac87d2c9e

    • SHA512

      82a0e81d70ff03441c382e53ed4d7df07b4ccc37c1b512ce30f3bcb2c09fd067ba37b0b89ebcae18e9eaf210d86bef0978bf51111151d64227ea5de1179741a0

    • SSDEEP

      12288:rdrLbDZaNRp5H6ykhyMhHC5gxhWpGoX8lVB23TRLCKUPJSX4lDJ1:5LDZMRp5H6yk9gII8XmCKQwXWDD

    Score
    10/10
    formbookqt22executionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks