Overview

overview

10

Static

static

3

Dekont.pdf.exe

windows7-x64

10

Dekont.pdf.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ef0a49acd91623c090732ba2b2e15f707786e3554f71ac7b020b9e98a690b5f8

  • Size

    572KB

  • Sample

    241008-qhn2easdja

  • MD5

    7a9b067c1ddf55f967af83a637b84937

  • SHA1

    655c66a3099a3ae1f9cfa383b61a1df335256628

  • SHA256

    ef0a49acd91623c090732ba2b2e15f707786e3554f71ac7b020b9e98a690b5f8

  • SHA512

    15bd9e398c776c0b3799db005bfa06d5617c3c71d9d2731b58ad7f042eab747b1e41e73c0519269c8491b74b7b61065bdd6cabd9f11ce3f20e8f004f3de32bd9

  • SSDEEP

    12288:02i/EUCEmEMYDgCi4CRXtMtrY8m4puSNuqZ9II4HFuX6CJB6ADIBO/Sd:TisUcEdgCidJPsCo9ItuDBDQL

Score
10/10
formbookm10idiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m10i

Decoy

rmani.today

ifebork.xyz

randovation.net

itchen-remodeling-65686.bond

himu.world

reverie.net

9038.top

rowahome.live

obility-scooters-63189.bond

iangchunqiu.top

yhd.fun

eniorsforseniors.biz

z9zs2.shop

kkjinni.buzz

22av373vu.autos

allnyy.fun

qst.digital

rcap.info

745.top

earfulabjectshirkwashclothe.cfd

Targets

    • Target

      Dekont.pdf.exe

    • Size

      634KB

    • MD5

      ec3a89fb3f145a68a25284c99c0e714e

    • SHA1

      37f1784b83b3951be610bcc0a88d729aba113f7e

    • SHA256

      462338cc416f17bb48135254e384d49b87dde3f0c40e6c51a70ad7abdecfc231

    • SHA512

      b8e98cd2b5e8739f51fa6762183b85b33c613a47f6942dfba9ed6ad6485608b939589fee899ea5550030dd2d4cc8d734c235ed15cc5ab62493a60b6235fb594e

    • SSDEEP

      12288:OnCiPGlFpYu3pOT+thfn3tumqHZGRosZQve/5hMB2Oy4IZklPrbH6ec4kqNu4FbX:++pl3Dth/3t9qHbsus228I2nAqNusbNB

    Score
    10/10
    formbookm10idiscoveryexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks