Overview

overview

9

Static

static

3

formu.exe

windows7-x64

9

formu.exe

windows10-2004-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    7dfb0e728c2d4b5fe68fd3e499750cd4d961cd5a0c079a2ab13934f8a57e5793.rar

  • Size

    684KB

  • Sample

    240814-blcp8aybrr

  • MD5

    14d9e8de60a76a063618d6f57348e820

  • SHA1

    12314f9594581462ecced6061d5b637576436964

  • SHA256

    7dfb0e728c2d4b5fe68fd3e499750cd4d961cd5a0c079a2ab13934f8a57e5793

  • SHA512

    f236712f3bf1307032577d9f2c2ea234f64b79d297ff73bd3492269884ebd462f4651a469d815945e902191d821bbb763beb8816e824e254befa3dbcdd95ca9f

  • SSDEEP

    12288:uIpiAaQ6LjoZhp5JxPPoT7rlMMRrVEIoqx7W/yzWfx6D8GrKCFmXBBL:L41Q6Lqhp53YT7GMR5EIt1WazWMD8G9a

Score
9/10
collectioncredential_accessdiscoveryexecutionspywarestealer

Malware Config

Targets

    • Target

      formu.exe

    • Size

      698KB

    • MD5

      fe78741712b625c3340b3a56f21d7be8

    • SHA1

      114f9ec63c475eb42629892c86d4f4e037ac23ba

    • SHA256

      415afb394789db292ecd31abe20049f34847c3bb61efa231a652063b645e9b54

    • SHA512

      e44a7cfc8b378070401b5d305965737bd6a20a564ec588970c02e138729929e33ee1d6ba205484ae24fbbc79e50368c26837af9feb5f3cdc12a09a4313b4e726

    • SSDEEP

      12288:ctW+f9m9ZGNM7ICKrxXr6lv9ebABiVqMjxAbhjh0PkPaRtCMJ:cITtTKrxcQAyqMFAz08DM

    Score
    9/10
    collectioncredential_accessdiscoveryexecutionspywarestealer

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of local email clients

      Email clients store some user data on disk where infostealers will often target it.

      spywarestealer

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Accesses Microsoft Outlook profiles

      collection

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks