General

  • Target

    SKM_C221200706052800.exe

  • Size

    273KB

  • Sample

    210118-gdy3m636v2

  • MD5

    3c51788968fa6ed67bde7511b1868b08

  • SHA1

    194e63c851406e2ac39ef09d48ab35871e041ccc

  • SHA256

    0baedfe6121c3fdc3438625335a05080f6e347bf6ff29910d2ff35b2aa02d4d5

  • SHA512

    2f872cd65df657e420c8d47e4b9ef2919ecc4b8170855751f8b26faec02fe59df949cb9c3306327250911292d52261a1a28970c2ba41044e47e4f7cb8a3e4467

Malware Config

Extracted

Family

formbook

C2

http://www.destinny.com/s9zh/

Decoy

paintedinafrica.com

electrumfix.download

edlange.com

tqiawy.xyz

satiscenter.xyz

nc-affiliates.com

agencybuilderforum.com

testabcde.net

venisseturf.net

rubenvdsande.com

nzmatrimony.com

mdthriftsandflips.com

virtualfxstudio.com

communityinsuranceut.com

qqbokep.com

copeva.net

bookedupdaily.com

houstongrowmyairway.com

fortunapublishing.com

empireplumbingandheating.com

Targets

    • Target

      SKM_C221200706052800.exe

    • Size

      273KB

    • MD5

      3c51788968fa6ed67bde7511b1868b08

    • SHA1

      194e63c851406e2ac39ef09d48ab35871e041ccc

    • SHA256

      0baedfe6121c3fdc3438625335a05080f6e347bf6ff29910d2ff35b2aa02d4d5

    • SHA512

      2f872cd65df657e420c8d47e4b9ef2919ecc4b8170855751f8b26faec02fe59df949cb9c3306327250911292d52261a1a28970c2ba41044e47e4f7cb8a3e4467

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Xloader

      Xloader is a rebranded version of Formbook malware.

    • Xloader Payload

    • Blocklisted process makes network request

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scripting

1
T1064

Defense Evasion

Scripting

1
T1064

Tasks