General

  • Target

    Quotation.exe

  • Size

    222KB

  • Sample

    210408-b35zeam8ks

  • MD5

    1f86caaa19912ceb55c9f6121eb692bb

  • SHA1

    2d4dd95fdb17937b22a3d6a41862704ed80acf70

  • SHA256

    8309d803c92faaf24828cd67e4c1041f9465ecf6c63f7608d7ed4579f075a02c

  • SHA512

    720c68b543c3d5eb2d026feb0ae46d0c77aa0eb71cd3302c520384cbff27e28fed1f9f0b3c761aed7bdea054fd2d3829f294f3250175d6d159d1167122f67a72

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.riceandginger.com/fcn/

Decoy

bellee-select.com

unlock-motorola.com

courtneyrunyon.com

hnzywjz.com

retrievingbest.net

ayescarrental.com

beyoutifulblessings.com

heritagediscovery.net

fasoum.com

wbz.xyz

lownak.com

alinkarmay.com

coffeyquiltco.com

validdreamers.com

yuksukcu.club

buildnextfrc.com

avantfarme.com

xyfs360.com

holisticpacific.com

banejia.com

Targets

    • Target

      Quotation.exe

    • Size

      222KB

    • MD5

      1f86caaa19912ceb55c9f6121eb692bb

    • SHA1

      2d4dd95fdb17937b22a3d6a41862704ed80acf70

    • SHA256

      8309d803c92faaf24828cd67e4c1041f9465ecf6c63f7608d7ed4579f075a02c

    • SHA512

      720c68b543c3d5eb2d026feb0ae46d0c77aa0eb71cd3302c520384cbff27e28fed1f9f0b3c761aed7bdea054fd2d3829f294f3250175d6d159d1167122f67a72

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Tasks