Overview

overview

10

Static

static

1

Payment in...90.exe

windows7-x64

10

Payment in...90.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    122c3bfcba514525c5bb55266591af83a1057650afd16bc0fd5e5fcd8cfbf0b0

  • Size

    719KB

  • Sample

    241010-m6w55szdpm

  • MD5

    d957825e8c029705e3aa6ccc435750f7

  • SHA1

    3d6147a736ac7a0735f36637c2430c25e3a0daf0

  • SHA256

    122c3bfcba514525c5bb55266591af83a1057650afd16bc0fd5e5fcd8cfbf0b0

  • SHA512

    82335bf7faf90a5862219fac1fbb8df45ea4b379edbf762b25213c5b942ea718cc314d0348d67b3422c3d92a2370b7d08f2f170948a8d4ea2dd7c867685c4221

  • SSDEEP

    12288:S9HKPHkgDxiwcehDIaNfIhtDvtBJ8nCORh9rYPjpn9uBFGPh1yuqIEgdk2ps1QFT:LiwceO60U9rY7WaPh4IRdk/1XlYN

Score
10/10
formbookp25odiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

p25o

Decoy

hrist-centered-soulcare.net

pacerpa.shop

hicandcurvy.shop

ocfamilyto.llc

9ds87666.men

sia918ku.shop

nvestment-broker-35141.bond

ltralicencas.shop

g1lmb.cyou

eyo.live

pupt.rest

indsetperfection.net

1duqqrzs65zxz.bond

eren138-pro2.click

leaning-products-35959.bond

oodea.online

hlbadienug.info

innivip.bio

funnygame.top

roperty-in-dubai-f.pro

Targets

    • Target

      Payment invoice 549590.exe

    • Size

      789KB

    • MD5

      b0c0077f9a3dccb680b560ab59f77546

    • SHA1

      ec032a6a884117be45db01ff057df7f6628b8f02

    • SHA256

      9a7bd97ac102e6f0f5718cc18085ec685ff87b78956f97a2375a8883263beb54

    • SHA512

      5cdfaf5c6a942f32c313822a878f970dcd16027c3ba9dbbe4386b4ca5c9c4bb2707c07dd3fd8a0e89602a70a53066c44760bd11964ea88fc690bc82fc59f10c6

    • SSDEEP

      24576:ZEhsSrVbCx3YNCU0mP7Y7Vc3Cu5ektpc8+obx:RSlCyHwVz/ktpn+obx

    Score
    10/10
    formbookp25odiscoveryexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks