Overview

overview

10

Static

static

1

22ee08b967...f1.exe

windows7-x64

10

22ee08b967...f1.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    22ee08b9678302f3671e7f1c6abd33866366b034faa9da27757fee2e05e23bf1.exe

  • Size

    2.0MB

  • Sample

    240914-blk2lazekb

  • MD5

    212d2562e0f4d53f9fe595f730f14f95

  • SHA1

    74f3d0c8ac4cb82000b4e799e3ccc080a372b88e

  • SHA256

    22ee08b9678302f3671e7f1c6abd33866366b034faa9da27757fee2e05e23bf1

  • SHA512

    826cec49775fd6c4fc5f5ebfa374a8424fd5c2258cab5d64168d3465d827c6d5d23eb0a797b12e3f1b1d5a42d6df466bf43bbe6a1566d6daabbb9f7b94b33e8d

  • SSDEEP

    49152:8fDe+fmH7RRZ1UW84VCyH+4FAGqnx+lg3jszd8u1NhSCg6Ek/A:8fDQQs3fJ/A

Score
10/10
formbookgy15credential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy15

Decoy

hairsdeals.today

acob-saaad.buzz

9955.club

gild6222.vip

nline-shopping-56055.bond

lmadulles.top

utemodels.info

ighdd4675.online

nqqkk146.xyz

avasales.online

ortas-de-madeira.today

haad.xyz

races-dental-splints-15439.bond

hilohcreekpemf.online

rrivalgetaways.info

orktoday-2507-02-sap.click

eceriyayinlari.xyz

lsurfer.click

aston-saaae.buzz

etrot.pro

Targets

    • Target

      22ee08b9678302f3671e7f1c6abd33866366b034faa9da27757fee2e05e23bf1.exe

    • Size

      2.0MB

    • MD5

      212d2562e0f4d53f9fe595f730f14f95

    • SHA1

      74f3d0c8ac4cb82000b4e799e3ccc080a372b88e

    • SHA256

      22ee08b9678302f3671e7f1c6abd33866366b034faa9da27757fee2e05e23bf1

    • SHA512

      826cec49775fd6c4fc5f5ebfa374a8424fd5c2258cab5d64168d3465d827c6d5d23eb0a797b12e3f1b1d5a42d6df466bf43bbe6a1566d6daabbb9f7b94b33e8d

    • SSDEEP

      49152:8fDe+fmH7RRZ1UW84VCyH+4FAGqnx+lg3jszd8u1NhSCg6Ek/A:8fDQQs3fJ/A

    Score
    10/10
    formbookgy15credential_accessdiscoveryexecutionpersistenceratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Formbook payload

      rat

    • Adds policy Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Modify Registry

3
T1112

Scripting

1
T1064

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks