General

  • Target

    Scanned032221.exe

  • Size

    652KB

  • Sample

    210322-4e3asepkl2

  • MD5

    c6ae31762a9bcf512da3595912d0fd2e

  • SHA1

    f2537f67b4f78ff384c76e7fc7f6762af2b6864b

  • SHA256

    17dba25e41a7c193a9abafca9194574ff970d56c1defec9a1d4fed04590d9ec4

  • SHA512

    aef8f2677bf777a8fba5c34fc8fb4a7ca7bbbe9a1bb79897f4286d164fecd16fe76bfb5aff3a356c114dfc0c19996535308229096a822c93351c39917856e0d2

Malware Config

Extracted

Family

formbook

C2

http://www.joomlas123.info/3nop/

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Targets

    • Target

      Scanned032221.exe

    • Size

      652KB

    • MD5

      c6ae31762a9bcf512da3595912d0fd2e

    • SHA1

      f2537f67b4f78ff384c76e7fc7f6762af2b6864b

    • SHA256

      17dba25e41a7c193a9abafca9194574ff970d56c1defec9a1d4fed04590d9ec4

    • SHA512

      aef8f2677bf777a8fba5c34fc8fb4a7ca7bbbe9a1bb79897f4286d164fecd16fe76bfb5aff3a356c114dfc0c19996535308229096a822c93351c39917856e0d2

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Formbook Payload

    • Adds policy Run key to start application

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

2
T1060

Defense Evasion

Modify Registry

3
T1112

Tasks