Overview

overview

10

Static

static

3

2b73e14598...a3.exe

windows7-x64

10

2b73e14598...a3.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2b73e14598fa9527a5d3b18e34a2b263a4001785a862932005caad64025c86a3.xz

  • Size

    564KB

  • Sample

    250130-dherhsvrgm

  • MD5

    4a77488f77ff4cd08acec0265f6db180

  • SHA1

    e64925046e44599f4b1a65741a06610b89e36500

  • SHA256

    2b73e14598fa9527a5d3b18e34a2b263a4001785a862932005caad64025c86a3

  • SHA512

    4357f57dd6a3bdaa90f3988ae23ebc041453169f090bf9f48698c8d0d68dc740d8b792757031be560d1358def0d1ba165a17c5a52d39f416a08f55a937d8f593

  • SSDEEP

    12288:WM2u8Hi1cqYuh4zUILeOO0B8Tz88RPyMaqAxfCWVd/KFBh:W+8mWV/WTzB4PQWeFBh

Score
10/10
formbookkmgediscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

i54ly657ur.autos

stove-10000.bond

furkanenes.live

foziaclothing.shop

peron.app

landscaping-services-88568.bond

home-remodeling-96005.bond

offersnow-store.shop

apsida.tech

ux-design-courses-90368.bond

nb-event-b2b.online

2tdb3dk65m.skin

juniper.fit

eurosirel.info

web-cfe.one

a48268104.top

darkoxygen.info

beautysideup.shop

solar-battery-34557.bond

dib57.top

Targets

    • Target

      2b73e14598fa9527a5d3b18e34a2b263a4001785a862932005caad64025c86a3

    • Size

      669KB

    • MD5

      ad90b7ef4c9611dc1ba60fccef729b3a

    • SHA1

      5e6f73d1e88a5e7ed7283ba195ed158849ae9cad

    • SHA256

      bf6ce08a4c3bb3395310e980d52c5cddfd7d30924e2c1b1b1451790421ac6d6e

    • SHA512

      900ff1695d83e832a9f6d0d7b5f1f0d2240bc0c8da0d570494d79f9506de794bee67dcf40ed9b20e112f295e03251c2c06df62d9bfdc9cb99200cfa586699b1b

    • SSDEEP

      12288:dKjNZYuhezUIseO40B8Tn8TRPyca/AxfuWVd/KFBSNUehNLn:+1HVNWTnoGYwWeFBSNUeDLn

    Score
    10/10
    formbookkmgediscoveryexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks