Overview

overview

10

Static

static

3

gHALCP5u6qYbIzp.exe

windows7-x64

10

gHALCP5u6qYbIzp.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    1189ebcdb1a7a3b4ad58df14a4db5955672c5533f873298ddb212443a924c62a

  • Size

    532KB

  • Sample

    240921-fy2mbswgna

  • MD5

    818d4382c38591724430e44cfcff3753

  • SHA1

    7dc4183b8fa198017f9edd4e63494a65f3e7db8f

  • SHA256

    1189ebcdb1a7a3b4ad58df14a4db5955672c5533f873298ddb212443a924c62a

  • SHA512

    7be3dc7b78d4b225d3f7242d9fed158d2f982eea8d96ecef10dde1314aa33c93433324874f4024b6929d941b56243db06887de45ae8f901da2e304c8d315982b

  • SSDEEP

    12288:ovkg445TMT6qhDkcY0eDr0oxT77/Knj3zFbSKl5JJdKPDbXlxoj7:ocyI2QoD0ePRJ77/KljXd+PQ7

Score
10/10
formbookc18xdiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c18x

Decoy

naer.top

loominc.club

eslgnpro.shop

rthodontist-53086.bond

hkil-art.online

-health.events

ustommygifts.online

reenscapemedia.online

mcometrade.online

mq8z.christmas

hristophersremodeling.biz

iverpoolvr.info

xlaw.app

heartpa.shop

nbxsbsk.shop

ompany-chargeback.pro

hevikingshucker.net

anaara.net

eadgenrndtbl.net

odagc.info

Targets

    • Target

      gHALCP5u6qYbIzp.exe

    • Size

      571KB

    • MD5

      d46ea4a5851ace640a9f1ac3c3304e83

    • SHA1

      3797c494b69de4c08d57e18d75e744196662d932

    • SHA256

      dac46f3d278ac47faeadf5160565437d7abcbdc42a39a40482a12728dc088226

    • SHA512

      f2927da84a4abfffe27761ed19716e548d4ae89d8cf0377314ef665980ff5956959b3447082b7ac247eb967ee49f20827b1dc7bf5b282973136c14709ad44ab0

    • SSDEEP

      12288:/Hue0mNiwsiOORw9/sRU/XeL4fc+0eDr0orT77/Knj5jFbSKlHpJ0zW6iFw02g:/OOiwsiOtcyP0ePRP77/K3jtoLiKJ

    Score
    10/10
    formbookc18xdiscoveryexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks