General

  • Target

    dd2338c1c8e798e8428bbd62513e3ca5aafb8d238a01e67e32330c7e383f2c1f

  • Size

    985KB

  • Sample

    210122-fcshl9fhhe

  • MD5

    7d89ba5fdb75f333becfd437de73f6d4

  • SHA1

    5c7c02592bfae2711c7f82647e426e06a8bc453d

  • SHA256

    dd2338c1c8e798e8428bbd62513e3ca5aafb8d238a01e67e32330c7e383f2c1f

  • SHA512

    c613e89d6e5015448e3db9be5162d345a7d01ecd9d86a2385787695d31a2619ea171091aae06ab199450bd22ddfb910a6158e36eaa87821c79c1c01ba8a45404

Malware Config

Extracted

Family

formbook

C2

http://www.unitedfootballcamps.com/bf3/

Decoy

ecatcom.com

what3emoji.com

primbathandbody.com

yt-itclub.com

newbieeer.com

getyoursofa.com

mexicanitems.info

catalogcardgames.net

leagueofwomengolfers.com

gvanmp.com

midnightsunhi.com

cnluma.com

sunsetcherrydesigns.com

cosmoproturkey.com

inifinityapps.net

making50masks.com

battalionice.com

uk-calculation.net

frosteatlove.com

bs-mag.com

Targets

    • Target

      dd2338c1c8e798e8428bbd62513e3ca5aafb8d238a01e67e32330c7e383f2c1f

    • Size

      985KB

    • MD5

      7d89ba5fdb75f333becfd437de73f6d4

    • SHA1

      5c7c02592bfae2711c7f82647e426e06a8bc453d

    • SHA256

      dd2338c1c8e798e8428bbd62513e3ca5aafb8d238a01e67e32330c7e383f2c1f

    • SHA512

      c613e89d6e5015448e3db9be5162d345a7d01ecd9d86a2385787695d31a2619ea171091aae06ab199450bd22ddfb910a6158e36eaa87821c79c1c01ba8a45404

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

2
T1112

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Tasks