Overview

overview

10

Static

static

3

malw.exe

windows7-x64

10

malw.exe

windows10-2004-x64

10

Resubmissions

15-10-2024 14:49

241015-r7aqravark 10

15-10-2024 14:44

241015-r39paathjq 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    malw.exe

  • Size

    557KB

  • Sample

    241015-r7aqravark

  • MD5

    382c88984b3c6ee204de52753ef3430a

  • SHA1

    6a3e055ed4b30137798e379408894298d6caf652

  • SHA256

    0c75f9346023e418ff8265fb609a392086a32d894482fad2426e7993467e0eda

  • SHA512

    e5b9658766c195274d41869253ded042cb8c8d7c2f9439b7ee3335bc049b4b1d6ef14ed86f78d5a7de67fbf2ea16d542db151924ef2c9f4293204ce9d2cde2fa

  • SSDEEP

    12288:7bUSAWFHil5oqaWB1meO4pT7eTAqLySHqiO/B/rbKbp/zF8PnEh2vo1:7bAkCEqaW/mZkT7gAMKL/6p/GEum

Score
10/10
formbookt18ndiscoveryexecutionpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t18n

Decoy

tmusicoregon.net

atici.online

j7u7.xyz

iewunucierwuerwnziqi1.info

ruvabetgiris.website

acik.lat

obsk.top

sphaltpaving-ttp1-shd-us-2.shop

ispensarynearme.news

b3nd.bond

urelook.xyz

gearlpfbm.top

aconstructionjob.bond

killsnexis.info

oshon.xyz

ashabsxw.top

ussiatraiding.buzz

raipsehumus.homes

6ae23rx.forum

edar88vvip.shop

Targets

    • Target

      malw.exe

    • Size

      557KB

    • MD5

      382c88984b3c6ee204de52753ef3430a

    • SHA1

      6a3e055ed4b30137798e379408894298d6caf652

    • SHA256

      0c75f9346023e418ff8265fb609a392086a32d894482fad2426e7993467e0eda

    • SHA512

      e5b9658766c195274d41869253ded042cb8c8d7c2f9439b7ee3335bc049b4b1d6ef14ed86f78d5a7de67fbf2ea16d542db151924ef2c9f4293204ce9d2cde2fa

    • SSDEEP

      12288:7bUSAWFHil5oqaWB1meO4pT7eTAqLySHqiO/B/rbKbp/zF8PnEh2vo1:7bAkCEqaW/mZkT7gAMKL/6p/GEum

    Score
    10/10
    formbookt18ndiscoveryexecutionratspywarestealertrojanpersistence

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks