Overview

overview

10

Static

static

3

INVOICE -...78.exe

windows7-x64

8

INVOICE -...78.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    INVOICE - MV CNC BANGKOK - ST24PJ-278.exe

  • Size

    608KB

  • Sample

    240701-p2y52swcnj

  • MD5

    0559acbaacfcf93cefd8bcbfd498bfe4

  • SHA1

    26142b0abd1848a4aeb96e63ed74836e5af67823

  • SHA256

    251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87

  • SHA512

    e6ca8522526fcd0875d97ee1a77bcc3d11e78c6b72d7c2332331c59daae2bc2adb32ce6c803ebdaa27d4990575688acc09c6cca09664d419353f6f3ee848bcdd

  • SSDEEP

    12288:yEJwtNcDfRDyLA7sGpEBVgWd/3cN1h89cdQpNIcaiwLjnp+YDj:lHfROLIsGUVD1cTh89BZaiQ7x/

Score
10/10
formbookps94executionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ps94

Decoy

gokorgiboard.com

17tk558f.com

xbtdlz.com

agence-dyf.com

azovtour.com

refreshoutdoors.shop

muyidajs.com

bull007s.autos

huskyacres.net

nryijx628b.xyz

romansotam.com

norlac.xyz

dorsetbusinessforum.com

prpasti.shop

amycostellospeech.com

dpaijvpiajvpin.top

rinabet371.com

corporatebushcraft.com

0755xx.com

wxsjlwkj2019.com

Targets

    • Target

      INVOICE - MV CNC BANGKOK - ST24PJ-278.exe

    • Size

      608KB

    • MD5

      0559acbaacfcf93cefd8bcbfd498bfe4

    • SHA1

      26142b0abd1848a4aeb96e63ed74836e5af67823

    • SHA256

      251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87

    • SHA512

      e6ca8522526fcd0875d97ee1a77bcc3d11e78c6b72d7c2332331c59daae2bc2adb32ce6c803ebdaa27d4990575688acc09c6cca09664d419353f6f3ee848bcdd

    • SSDEEP

      12288:yEJwtNcDfRDyLA7sGpEBVgWd/3cN1h89cdQpNIcaiwLjnp+YDj:lHfROLIsGUVD1cTh89BZaiQ7x/

    Score
    10/10
    executionformbookps94ratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

2
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks