Overview

overview

10

Static

static

7

Project Ex...9).exe

windows7-x64

7

Project Ex...9).exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Project Execution Order - (PO 546788) (PO 546789).rar

  • Size

    13KB

  • Sample

    240701-pz7peasdmg

  • MD5

    39fc68f13cfd8a3cd4e280d33b2fc15a

  • SHA1

    e41071bca23cf3c29712dd96100b552fd0727f45

  • SHA256

    408e418404d842718d88720c6706d3a0a07f40f0e04159091ea31c7333c2f958

  • SHA512

    ba8820e4ed7fbb841825cce9ec93ca4c52b75c6d94ef7b47d32fe3aa7ed636b1e93ece898af3975ceb6754d40b5e7d34a2fab870ca9584aba10f31fb184641c5

  • SSDEEP

    384:02eHRRWLXPGVRB5D+/x2nUG7Yzuc2eyulGi5q:rGRRisjD+/knDYdyulGX

Score
10/10
formbook45eragilenetexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

45er

Decoy

depotpulsa.com

k2bilbao.online

bb4uoficial.com

rwc666.club

us-pservice.cyou

tricegottreats.com

zsystems.pro

qudouyin6.com

sfumaturedamore.net

pcetyy.icu

notbokin.online

beqprod.tech

flipbuilding.com

errormitigationzoo.com

zj5u603.xyz

jezzatravel.com

zmdniavysyi.shop

quinnsteele.com

522334.com

outdoorshopping.net

Targets

    • Target

      Project Execution Order - (PO 546788) (PO 546789).exe

    • Size

      38KB

    • MD5

      246238533bb596d52737946aaf4b4d37

    • SHA1

      8c350aff45dbb05c1d61eb885a13b591544b70fa

    • SHA256

      531e29b34f525987ef3210689b417ea3c1a0b4f5c8bcf180ef00148a3e6d0b1f

    • SHA512

      8e5a0bd7a5dce0bf1927ade856aec94f2cb6ee611a832f8178fa7ede5199614b137cb8a5cb001b5d34afd9a8a0628967e68d3759e4b323ea887c59f2b8dda98e

    • SSDEEP

      384:fsNjci832cy7jQNDy1SXNh2xEPICOVvHX9RL7D6p05iVXXXtXXXXXXtX41hoJOuy:vHwL7D6Shho16G+SIp1b5tPeWTU

    Score
    10/10
    agilenetformbook45erexecutionratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook payload

      rat

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks