Overview

overview

10

Static

static

3

Pedido de ...te.exe

windows7-x64

10

Pedido de ...te.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Pedido de compra urgente.exe

  • Size

    1.2MB

  • Sample

    240521-ebphtagd66

  • MD5

    ae2709b53bbe59af6094b3721d2e43e4

  • SHA1

    85dd2c7acf90d25e656598d30008bc77f3d4a60b

  • SHA256

    01e091955a83ba50c3b6324a89c6007d77798134465e1189cc3259906785262b

  • SHA512

    9c62a99a932e173939614c638d524ce33ee68b5985eda8e9737f07584a8c9f40c8b13b42b206d6a221092bdd2aa39a5ab3860a3ca6a877282578e2bf587d124b

  • SSDEEP

    24576:LiTAD3InHT6elgPzH6s5K4Z3LpNnp+JNwIl7TaTpCGCcYjb:LeM3LjgTv5T09nYjb

Score
10/10
formbookgy14motwpersistencephishingratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy14

Decoy

mavbam.com

theanhedonia.com

budgetnurseries.com

buflitr.com

alqamarhotel.com

2660348.top

123bu6.shop

v72999.com

yzyz841.xyz

247fracing.com

naples.beauty

twinklethrive.com

loscaseros.com

creditspisatylegko.site

sgyy3ej2dgwesb5.com

ufocafe.net

techn9nehollywoodundead.com

truedatalab.com

alterdpxlmarketing.com

harborspringsfire.com

Targets

    • Target

      Pedido de compra urgente.exe

    • Size

      1.2MB

    • MD5

      ae2709b53bbe59af6094b3721d2e43e4

    • SHA1

      85dd2c7acf90d25e656598d30008bc77f3d4a60b

    • SHA256

      01e091955a83ba50c3b6324a89c6007d77798134465e1189cc3259906785262b

    • SHA512

      9c62a99a932e173939614c638d524ce33ee68b5985eda8e9737f07584a8c9f40c8b13b42b206d6a221092bdd2aa39a5ab3860a3ca6a877282578e2bf587d124b

    • SSDEEP

      24576:LiTAD3InHT6elgPzH6s5K4Z3LpNnp+JNwIl7TaTpCGCcYjb:LeM3LjgTv5T09nYjb

    Score
    10/10
    formbookgy14motwpersistencephishingratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Adds policy Run key to start application

      persistence

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

      phishingmotw

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks