General

  • Target

    NEW ODER.exe

  • Size

    225KB

  • Sample

    210506-hfnklmg9zx

  • MD5

    a995d24b27548f0215eaa0d87dc140c3

  • SHA1

    d2adc518df40843623413b5d5310ea4069fdba2e

  • SHA256

    859db52a7e6fdf6f93350d27b7917853b8b88a2536721328ff60a98f59a93b91

  • SHA512

    693d6532465d4bbf3d5f67473bdc539ec255bbc6a7950ae7a170a7a2dc8eee8a7c16f471fb210d8f492aea8e038e9f794207354906c231216bfd81cfd2e897ac

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.knighttechinca.com/dxe/

Decoy

sardarfarm.com

959tremont.com

privat-livecam.net

ansel-homebakery.com

joysupermarket.com

peninsulamatchmakers.net

northsytyle.com

radioconexaoubermusic.com

relocatingrealtor.com

desyrnan.com

onlinehoortoestel.online

enpointe.online

rvvikings.com

paulpoirier.com

shitarpa.net

kerneis.net

rokitreach.com

essentiallygaia.com

prestiged.net

fuerzaagavera.com

Targets

    • Target

      NEW ODER.exe

    • Size

      225KB

    • MD5

      a995d24b27548f0215eaa0d87dc140c3

    • SHA1

      d2adc518df40843623413b5d5310ea4069fdba2e

    • SHA256

      859db52a7e6fdf6f93350d27b7917853b8b88a2536721328ff60a98f59a93b91

    • SHA512

      693d6532465d4bbf3d5f67473bdc539ec255bbc6a7950ae7a170a7a2dc8eee8a7c16f471fb210d8f492aea8e038e9f794207354906c231216bfd81cfd2e897ac

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Discovery

System Information Discovery

2
T1082

Tasks