Overview

overview

10

Static

static

1

48e0364675...f7.exe

windows7-x64

10

48e0364675...f7.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    cf4167c690383362c4b42ab32a0ee1ba.bin

  • Size

    714KB

  • Sample

    240613-ctgvksvcmp

  • MD5

    73f46fd86fd3c45d9a0bc288a70b5729

  • SHA1

    76a3b1dc60edf1b1200e559c05161edce8107f97

  • SHA256

    e10fa6b88fa7020523f8ef4ff5cd3fbc8c9b09a389677ca9fc4792167a5ea431

  • SHA512

    894f03f224c37348c88d4e88ba08e7dd613a46c0b9a0de6d484adbcbdd051051088f6a0cb5c57545850758438101c2845422811ee4d61dd59919d364877b21d7

  • SSDEEP

    12288:zVyhHoRnMS4dyV8LLhtlKtDPfvUXQLEwdVvcJC8jMaZr+8sozWz9JnB5/vPyBncp:8HdS6GILhtUDPfvUXQwuUJcoqYzwzxyS

Score
10/10
formbookdd20executionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dd20

Decoy

unblurd.com

docu-zign.com

randijpaulsen.com

angsabet.com

sedatelynx.com

opiumcore.store

thelordismysaviormerch.com

mindstudio.support

waterbygraceteam.com

furnitureinspiredbythesea.com

amablanca.com

hespelerdental.com

arcalid.net

balajinursingbureau.online

caixias.shop

solingen-buergerstiftung.com

194916.top

6travel-insurance.xyz

xn--fiqp9b17y.xn--czr694b

syntixi.trade

Targets

    • Target

      48e036467595c63c65d8640a84f4bcf9545a20a9ac2596e8e555a4126c4e7cf7.exe

    • Size

      820KB

    • MD5

      cf4167c690383362c4b42ab32a0ee1ba

    • SHA1

      09a8e7792a20df75fc6c466c921c6e3fb1b92985

    • SHA256

      48e036467595c63c65d8640a84f4bcf9545a20a9ac2596e8e555a4126c4e7cf7

    • SHA512

      11174ee27f1b4b7ce870d13d4ddc3be5772b844b9a28baac78b467ab916a46ebc2cebfb938e5768a1a89a9d2f12fff24adf707144e9d10fe8f25888707ef126a

    • SSDEEP

      12288:bwuD3HH3DI+Q9vAKJDnbEMNC2pWPHuHKzCFcqx8rO9Hl5eIcdAAykR:cujH3DIT94yCqEOwmx869hmAI

    Score
    10/10
    formbookdd20executionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks