Overview

overview

10

Static

static

3

f384ded729...0d.exe

windows7-x64

10

f384ded729...0d.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    54ef2f2acdf62dfb40fc32aab1f46307.zip

  • Size

    253KB

  • Sample

    240901-jqxvyswbnh

  • MD5

    f286b6acd12383458fdc9fa0d4fb294f

  • SHA1

    786189cfaf725fa4c8f4c78d1d949f2a89ff5af6

  • SHA256

    464365a04b73faf53f77ff0a3c4556108e362edf46282f2c36e6718cf8186aec

  • SHA512

    ca53bac845856092330a720cd5cc9f91f125055f02d28cf5a723e55142fd8a21e267d71168c2b2ba9cf3850c163a3bad38ac61eb0ee62a1d57b23e714c70a9d6

  • SSDEEP

    6144:mxEkF6+Zh37WZeeWY/3yenv/1QEMAXYCPWq:OF6y7be93FFQTAX/n

Score
10/10
formbookh37credential_accessdiscoverypersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

h37

Decoy

misfitsbarandgrill.com

pijpsletjes.com

practiman.com

trailersgeek.online

greathappiness.faith

solderisland.com

kk5299.com

nani21.com

sharpactinvest.com

meteocockpit.com

provisionswpgroup.com

theplaze.net

westaustralian.ninja

freetrafficupgradingall.win

paraisocalafate.com

nelps.com

buywatch.win

sgfmim.site

mexicotradicional.com

moving411.biz

Targets

    • Target

      f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d

    • Size

      457KB

    • MD5

      54ef2f2acdf62dfb40fc32aab1f46307

    • SHA1

      3f3640685b7af5b52a13d49cfd1cf5364114e317

    • SHA256

      f384ded729fd7bf92383bf1ee12b4e3da92fbb01ef0e9d84bf439ba70525210d

    • SHA512

      3ee12f2d99ce1ce272f99b7e190694f52aaf68bb2267f53efb6073d79100a3d127ad841bd9324d675af527e06bb9c56218ff1e91dfb644af1d21042cf049ff03

    • SSDEEP

      6144:MqTi59VJdaD70ylbBTpVg8DPmgQhSdj/4KngWIq6jRk+j:MGin670yTTpVg8CgcSKKngWIjX

    Score
    10/10
    formbookh37discoverypersistenceratspywarestealertrojancredential_access

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Formbook payload

      rat

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks