Overview

overview

10

Static

static

3

Order 3078.exe

windows7-x64

10

Order 3078.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Order 3078.exe

  • Size

    770KB

  • Sample

    250204-mhq9zsvqap

  • MD5

    2c69ec0bd7c4c195a7b6e01274ca4ddf

  • SHA1

    3346a47b05e495951316a54315716599f48a29f4

  • SHA256

    b2fe57ff7504883c1a5050ccf0a6cfe45087a43bea4ce92aec075be6f1852a29

  • SHA512

    36efcc9dc6bf49507565053379348b1bd072b2452f73b5dc4fc4535d4772fe64ba2c3b838dfd11059cbca08165a4f47d895ca682cadbcc9b1169c8034054f24a

  • SSDEEP

    12288:Ivdm+wecl9FXW/vsIUhg4/BkRPYHulQXIsbWGKhJHlu4JW:Ms+wegXWn4/BkRPLMJCjJF

Score
10/10
formbooka01ddiscoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a01d

Decoy

eniorshousing05.shop

rywisevas.biz

4726.pizza

itchen-design-42093.bond

3456.tech

4825.plus

nlinecraps.xyz

itamins-52836.bond

nfluencer-marketing-40442.bond

nline-advertising-58573.bond

rautogroups.net

limbtrip.net

oftware-download-14501.bond

nline-advertising-66733.bond

erity.xyz

xknrksi.icu

x-ist.club

yber-security-26409.bond

oincatch.xyz

onitoring-devices-34077.bond

Targets

    • Target

      Order 3078.exe

    • Size

      770KB

    • MD5

      2c69ec0bd7c4c195a7b6e01274ca4ddf

    • SHA1

      3346a47b05e495951316a54315716599f48a29f4

    • SHA256

      b2fe57ff7504883c1a5050ccf0a6cfe45087a43bea4ce92aec075be6f1852a29

    • SHA512

      36efcc9dc6bf49507565053379348b1bd072b2452f73b5dc4fc4535d4772fe64ba2c3b838dfd11059cbca08165a4f47d895ca682cadbcc9b1169c8034054f24a

    • SSDEEP

      12288:Ivdm+wecl9FXW/vsIUhg4/BkRPYHulQXIsbWGKhJHlu4JW:Ms+wegXWn4/BkRPLMJCjJF

    Score
    10/10
    formbooka01ddiscoveryexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks