Overview

overview

10

Static

static

3

RFQ REF-JT...LY.exe

windows7-x64

10

RFQ REF-JT...LY.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    78d40748489ab8942198969d8ea164e798e9d9db0e15601ef64a4ba3d90a1448.zip

  • Size

    583KB

  • Sample

    241101-ewg98sxarp

  • MD5

    2d435b91fd5dc8515a53b05fdb52ff54

  • SHA1

    700c063d3a6c7e02c6838e0c2e77af30f7a65e35

  • SHA256

    78d40748489ab8942198969d8ea164e798e9d9db0e15601ef64a4ba3d90a1448

  • SHA512

    c805995d2917335dc533a98ffa0ee16162dc41907808f23a739c5b8a2becf2bad6e4f4719bc5e2fcd779cdef89b61439faadaa15f3dd9047699fdb1447616c3a

  • SSDEEP

    12288:gOZoKNVcYluVU2JErMnYyBmiW2sfFahuznl6P5ngSXlZ:gOZv8xUrMnYyjW2sfFlns5hlZ

Score
10/10
formbookcd36discoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cd36

Decoy

hongrobert.top

msurmis.online

tormdamageroof.net

riglashenie-svadby.store

otorcycle-loans-84331.bond

ouriptv.info

eportingcfo.top

2019.vip

ysphoto.online

hrivegorevx.info

350yhc.top

mwakop.xyz

antan4d-amp.xyz

pc-marketing-95267.bond

cuway.tours

inshiaward.top

akuzainu.fun

scenario.live

arrowlaboratorio.shop

nline-gaming-13926.bond

Targets

    • Target

      RFQ REF-JTCAJC-QINHP5-TIS-L0009- (AL DHAFRA) AL JABER - SUPPLY.exe

    • Size

      681KB

    • MD5

      580d52f93549b085b8061f3e699eef17

    • SHA1

      9e9acbdb7fd7b1ded9d18a8aeee40355a2ec7790

    • SHA256

      53ef40005eacaaf2c37175d6f38dfa8d9efe91d4513dc545cd7176924d9e64ef

    • SHA512

      fe08643b09d4ddd0f6125a7e89a8204a94618238444a4a7339b26a82041af06a170bc1c47e685ec71307891118bf15bc9d43a9b7b12a878de2f72c263cc3f382

    • SSDEEP

      12288:8+YLrsVU2hHe8rolfBemE4uNfwY5a+uT5naPRTiLD:JD+8EAmX0Va+A5a5TiL

    Score
    10/10
    formbookcd36discoveryexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks