Overview

overview

10

Static

static

3

ASA S27.exe

windows7-x64

10

ASA S27.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ASA S27.exe

  • Size

    692KB

  • Sample

    240913-lx9t7sxanl

  • MD5

    c3c19eded0a05cdc8b8740d97ebfdccf

  • SHA1

    506138ac626ce46c5ada87bf83d703270fe329d9

  • SHA256

    1625bc28c0c1fd3e4375430f222944d92c2b31b2543b5c8703dc5463cd68d1e3

  • SHA512

    d075626bbad97c960dc892164dee8110d5897203dfeeeed1314e0c3d0aa2e71b0a4cc18bad6d493054a2263a1d83c2e4c4f154d7556f0ff162185d6fccd96aa4

  • SSDEEP

    12288:xYV2o24S0WnqLtlbylU47swoC7Xl9wfWOVoiAaUnnLODW15R:22HL0xLqoNC7sjpPULSgR

Score
10/10
formbookh209discoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h209

Decoy

sbtstuff.site

omlyes.com

movershifting.com

gearballer.com

oketoto.pro

myringleader.com

lrcjc750s.xyz

ata2024.xyz

password-manager-89409.bond

aiassistanthub.net

changvolt.cfd

netino.site

wear-wale.com

omnipresenceagency.com

huangguan.ooo

propersonnelmedia.com

9332952.com

k3s.support

ciytrw.xyz

cb095.pro

Targets

    • Target

      ASA S27.exe

    • Size

      692KB

    • MD5

      c3c19eded0a05cdc8b8740d97ebfdccf

    • SHA1

      506138ac626ce46c5ada87bf83d703270fe329d9

    • SHA256

      1625bc28c0c1fd3e4375430f222944d92c2b31b2543b5c8703dc5463cd68d1e3

    • SHA512

      d075626bbad97c960dc892164dee8110d5897203dfeeeed1314e0c3d0aa2e71b0a4cc18bad6d493054a2263a1d83c2e4c4f154d7556f0ff162185d6fccd96aa4

    • SSDEEP

      12288:xYV2o24S0WnqLtlbylU47swoC7Xl9wfWOVoiAaUnnLODW15R:22HL0xLqoNC7sjpPULSgR

    Score
    10/10
    formbookh209discoveryexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks