Extracted

• • Target

    573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d.exe

  • Size

    2.2MB

  • MD5

    15c4948711c3ac6250ff98d0e5272b27

  • SHA1

    545a473d3a8fc3810fbb0ff04e2d4d28ab95bedb

  • SHA256

    573d8ee9678cef8163e96937a6a5a4f14a5ade12f5646ab05550c0038c770e5d

  • SHA512

    d3a0e2273fb307b456f8c860028a489c26011dc75ffd6075473babf320962530d690319706ef03ba2869c2c7d91ec95933ab4c4ed13d755de79d55d82ae58a41

  • SSDEEP

    12288:WK9Xxc/7gzqLiOG1tBda9myeHjQPBPwrgiQa5o0fpfEXKX:n9XxcjgOG3Bda9WmPegiQa5Pftkm

  Score

  10^/10

  formbookgy15credential_accessdiscoveryevasionexecutionpersistenceratspywarestealertrojan

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook

  • UAC bypass

    evasiontrojan

  • Windows security bypass

    evasiontrojan

  • Credentials from Password Stores: Credentials from Web Browsers

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer

  • Formbook payload

    rat

  • Adds policy Run key to start application

    persistence

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of web browsers

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer

  • Windows security modification

    evasiontrojan

  • Adds Run key to start application

    persistence

  • Checks whether UAC is enabled

    evasiontrojan

  • Suspicious use of SetThreadContext

  behavioral1behavioral2