Overview

overview

10

Static

static

1

Comandă d...df.exe

windows7-x64

10

Comandă d...df.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    10092024_1712_10092024_Comandă de achiziție nouă pdf.zip

  • Size

    1.0MB

  • Sample

    240910-vq696swemf

  • MD5

    fe66c20d3df78b440aad967c14468b95

  • SHA1

    70dd7bc8fd103b19352b8534a6b12e4df8d09854

  • SHA256

    7d006ea5798555187db42336b482f56f3ee6d4c2a8e93df6d64037de79ba6f49

  • SHA512

    f477450e86fd1b15033f6a3a06b41fa3853950ff19aca1d9bab5c267f584ecffb2d0b14d02dc6ca6899591568e16edc08bf359e4b446d863256ef3de5a5ef557

  • SSDEEP

    24576:AH5oqpXcqR+DNEXU2fDpZcyEqWH4rrTG1k0DGkIdpPtDtIuBoAp9vBbUJW:Ao4ECXU2fdp5rr6130dviArBUU

Score
10/10
formbookgy15credential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy15

Decoy

hairsdeals.today

acob-saaad.buzz

9955.club

gild6222.vip

nline-shopping-56055.bond

lmadulles.top

utemodels.info

ighdd4675.online

nqqkk146.xyz

avasales.online

ortas-de-madeira.today

haad.xyz

races-dental-splints-15439.bond

hilohcreekpemf.online

rrivalgetaways.info

orktoday-2507-02-sap.click

eceriyayinlari.xyz

lsurfer.click

aston-saaae.buzz

etrot.pro

Targets

    • Target

      Comandă de achiziție nouă pdf.exe

    • Size

      2.0MB

    • MD5

      e5a337b7c7fc380562683f2f7f72e0f2

    • SHA1

      49e8d006f134165696f4bd5fdcb1e64aa51f0f47

    • SHA256

      32c368fd65657924f718e0d68afe18f36fa1df2b3203bc71a6cd00073ecddc94

    • SHA512

      a6b3866ac3be8c304804916ff4dac0acc8e1d6b0a09762e1e4c85999b46f07dbe8d25ca894c9b34ea30067163fea6c76a165d479facedc1dffb5b1acb842beae

    • SSDEEP

      49152:2fDe+fmH7RRZ1UW84VCyH+4FAGqnx+lg3jszc8u1xESCgIAPpUm:2fDQQs0YbM

    Score
    10/10
    formbookgy15credential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Formbook payload

      rat

    • Adds policy Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

3
T1112

Scripting

1
T1064

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks