Overview

overview

10

Static

static

3

PaidInvoicePdf.exe

windows7-x64

10

PaidInvoicePdf.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    PaidInvoicePdf.exe

  • Size

    696KB

  • Sample

    250203-l15dwsxqaw

  • MD5

    800ffdb94a4c823184385509daf24178

  • SHA1

    42269e47c7bd0e0e71ebcddeffa9e8f7fd87dc69

  • SHA256

    27ffa4783191b2211f9f11043cdfb2df12898202cbef969013082c7634b2f27b

  • SHA512

    dc11235024197202e9a00059ca5660e09537ac7a6411fc6098ce34f5715b95254a52147231e41e74ae141ee74b8bf9fe3c7b497c8b99ee0697a1f38037fa5c4d

  • SSDEEP

    12288:PYGjdswecl94lQ40JfOofko3QSkQREOyMh344m/xDX/ch:2wedlWOofqSkwKcIrPch

Score
10/10
formbookn7akdiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

wise-transfer.info

jam-nins.com

thebestsocialcrm.com

majomeow222.com

ancientshadowguilt.space

gentleman-china.com

parquemermoz.store

taxuw.com

sharqiyapaints.com

libraryofkath.com

1949wan.com

synqr.net

bitchessgirls.com

btonu.cfd

coding-bootcamps-16314.com

leadership22-tdh.site

maximsboutique.com

irishsummertruffles.com

sdnaqianchuan.com

uyews.xyz

Targets

    • Target

      PaidInvoicePdf.exe

    • Size

      696KB

    • MD5

      800ffdb94a4c823184385509daf24178

    • SHA1

      42269e47c7bd0e0e71ebcddeffa9e8f7fd87dc69

    • SHA256

      27ffa4783191b2211f9f11043cdfb2df12898202cbef969013082c7634b2f27b

    • SHA512

      dc11235024197202e9a00059ca5660e09537ac7a6411fc6098ce34f5715b95254a52147231e41e74ae141ee74b8bf9fe3c7b497c8b99ee0697a1f38037fa5c4d

    • SSDEEP

      12288:PYGjdswecl94lQ40JfOofko3QSkQREOyMh344m/xDX/ch:2wedlWOofqSkwKcIrPch

    Score
    10/10
    formbookn7akdiscoveryexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks