Extracted

• • Target

    SecuriteInfo.com.Win32.CrypterXgen.29913.30159.exe

  • Size

    749KB

  • MD5

    c13a31f39f4de6f4373b06d799b36ee1

  • SHA1

    bed48e4ff3b169b8ab79af619c47f00d4d6ef460

  • SHA256

    4450f87d1d930e77af10b8eeea00a2f2c2421f1035e42e98fa072fecb5735e00

  • SHA512

    fc57a3c3fc924a16caca8757532ea000db33c825dac9712f2a97b96adb9b6e02a10ceba9f1afe027e62f2c8b795074b888735427e6bd04f8fb2d1064d48965e6

  • SSDEEP

    12288:gqdBj0z1nz6T1UoIG5MPU0wOqp06mCPyP4xLUzPimndzQ+ww4pegX3VNXr4T50Lk:A6pUobyTkpVjyP4xLUWmn5cWgHHKck97

  Score

  10^/10

  formbookh209discoveryexecutionratspywarestealertrojan

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook

  • Formbook payload

    rat

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext

  behavioral1behavioral2