Overview

overview

10

Static

static

3

2daefddc94...3c.exe

windows7-x64

10

2daefddc94...3c.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    2daefddc9456812219167d69dad58b3c.exe

  • Size

    626KB

  • Sample

    240613-pd2k9syalh

  • MD5

    2daefddc9456812219167d69dad58b3c

  • SHA1

    82608b1808df7840e30d5d0089e3457d0ee0077c

  • SHA256

    d30ab232ed71b8b011f47a39468b10ff4252b0b8caa979a3d9dd679ff3f0b800

  • SHA512

    b1e26b3626a40f843abdccc84b63215328f02cbf6d10a4daf9b12c33ebfc17bccf5313cb8025c9916daf88b55e9771ee1ec47e3d0a9f5ddbb0acf9c421ffe7c9

  • SSDEEP

    12288:IDyCK2xrOoLtXlGf+Dg5BVVAAbX8sUL7epov6XdTnhPNEMEti3:KyC5Lpl/g9KCMsg3v6tTnhPN7ai3

Score
10/10
formbookpz12executionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pz12

Decoy

paucanyes.com

autonwheels.com

cowboysandcaviarbar.com

fitnessengineeredworkouts.com

nuevobajonfavorito.com

dflx8.com

rothability.com

sxybet88.com

onesource.live

brenjitu1904.com

airdrop-zero1labs.com

guangdongqiangzhetc.com

apartments-for-rent-72254.bond

ombak99.lol

qqfoodsolutions.com

kyyzz.com

thepicklematch.com

ainth.com

missorris.com

gabbygomez.com

Targets

    • Target

      2daefddc9456812219167d69dad58b3c.exe

    • Size

      626KB

    • MD5

      2daefddc9456812219167d69dad58b3c

    • SHA1

      82608b1808df7840e30d5d0089e3457d0ee0077c

    • SHA256

      d30ab232ed71b8b011f47a39468b10ff4252b0b8caa979a3d9dd679ff3f0b800

    • SHA512

      b1e26b3626a40f843abdccc84b63215328f02cbf6d10a4daf9b12c33ebfc17bccf5313cb8025c9916daf88b55e9771ee1ec47e3d0a9f5ddbb0acf9c421ffe7c9

    • SSDEEP

      12288:IDyCK2xrOoLtXlGf+Dg5BVVAAbX8sUL7epov6XdTnhPNEMEti3:KyC5Lpl/g9KCMsg3v6tTnhPN7ai3

    Score
    10/10
    formbookpz12executionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks