Overview

overview

10

Static

static

3

bea519bede...2a.zip

windows11-21h2-x64

10

bea519bede...2a.exe

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bea519bede37f69c08d5d41612b0709231242a62f6a099433c783bef5d40b02a.zip

  • Size

    522KB

  • Sample

    240531-1z52csfa8x

  • MD5

    3ed25fa0b7155084e0a15b7ce1a19a14

  • SHA1

    d8c9914aa0eb3986dff1b74c87137b86fedfaa64

  • SHA256

    4dc0df606c8f63de9b04ca48bc74d52f72cbfed0887247f018f3d2d064295f8d

  • SHA512

    c7a6d7037c91b75f5ddee6cf4cd30f73e4960343865881afe14296133457c7c224835a47f91dae6e41154cfc654194663ad10f4b5452f34f59310847c7cb1cb8

  • SSDEEP

    12288:YVDbgIKge4CIj4BuoxmGO98UFSIoy9IZSOZSi78eJxb7n:YVfgVgZCH9pu3eyKZSilJ

Score
10/10
formbooklokibotdn03collectionexecutionratspywarestealertrojan

Malware Config

Extracted

Family

lokibot

C2

http://45.61.137.215/index.php/3b1tenbkyj

http://kbfvzoboss.bid/alien/fre.php

http://alphastand.trade/alien/fre.php

http://alphastand.win/alien/fre.php

http://alphastand.top/alien/fre.php

Extracted

Family

formbook

Version

4.1

Campaign

dn03

Decoy

almouranipainting.com

cataloguia.shop

zaparielectric.com

whcqsc.com

ioco.in

aduredmond.com

vavada611a.fun

humtivers.com

jewellerytml.com

mcapitalparticipacoes.com

inhlcq.shop

solanamall.xyz

moviepropgroup.com

thegenesis.ltd

cyberxdefend.com

skinbykoco.com

entermintlead.com

honestaireviews.com

wyclhj7gqfustzp.buzz

w937xb.com

Targets

    • Target

      bea519bede37f69c08d5d41612b0709231242a62f6a099433c783bef5d40b02a.zip

    • Size

      522KB

    • MD5

      3ed25fa0b7155084e0a15b7ce1a19a14

    • SHA1

      d8c9914aa0eb3986dff1b74c87137b86fedfaa64

    • SHA256

      4dc0df606c8f63de9b04ca48bc74d52f72cbfed0887247f018f3d2d064295f8d

    • SHA512

      c7a6d7037c91b75f5ddee6cf4cd30f73e4960343865881afe14296133457c7c224835a47f91dae6e41154cfc654194663ad10f4b5452f34f59310847c7cb1cb8

    • SSDEEP

      12288:YVDbgIKge4CIj4BuoxmGO98UFSIoy9IZSOZSi78eJxb7n:YVfgVgZCH9pu3eyKZSilJ

    Score
    10/10
    formbooklokibotdn03collectionexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      bea519bede37f69c08d5d41612b0709231242a62f6a099433c783bef5d40b02a.exe

    • Size

      549KB

    • MD5

      3b8109a47ed68232b0bff1bdaf39c33a

    • SHA1

      56a00c74e584b1b62c3338d45cad0932a106e9ff

    • SHA256

      bea519bede37f69c08d5d41612b0709231242a62f6a099433c783bef5d40b02a

    • SHA512

      2e3dc37800d0397d2f40d935c59a493088446d577bb8b0f45547935603ccaab1dad65a20985afcbd1f3ef9d631247d74b7085812a9ae5556fd83bf71a13fb18c

    • SSDEEP

      12288:VkkKkXdrJwKcIL0ERnQQSoX9K4KpzaC8QApCnQmxaM:1cHCQboX9KxpsQAp

    Score
    10/10
    formbooklokibotdn03collectionexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Lokibot

      Lokibot is a Password and CryptoCoin Wallet Stealer.

      trojanspywarestealerlokibot

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Accesses Microsoft Outlook profiles

      collection

    • Suspicious use of SetThreadContext

    behavioral2

MITRE ATT&CK Enterprise v15

Tasks