General

  • Target

    Quotation.exe

  • Size

    955KB

  • Sample

    210506-v3nydexje2

  • MD5

    9246a29da060479960879de3db2f1374

  • SHA1

    fecbed5c0e6cce40444994c85caf7cb838b35df7

  • SHA256

    49a4412c27e5eafc4c4365a2b2aeb962d6bf25849ab58d4e7eeb25fcfb934dcd

  • SHA512

    d463a62e867e1b64e1a0fa22583840f6198b8af9e7cafbf6608da726fb94d66184c5abf172c150513a48ea09711633847e429b50bd3d0df09f5168799c640d7f

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.bluesmartsockets.com/mgl/

Decoy

credittipswebinar.com

pewpewlab.com

teamcreativconsultanting.com

bsf.xyz

youthwork.support

fmoues.com

ourcardoctor.com

wwwmoticarshub.net

bellevuedogroomer.com

vorazshop.com

sorteo.gratis

shalinihome.xyz

myschoolmgt.net

we73theunityprojectband.com

xn--n8jx07hkhe20b9k751g.com

gregrunnebaum.com

asnomayritys.com

iremgulmez.com

the1099guy.com

reviewscandy.net

Targets

    • Target

      Quotation.exe

    • Size

      955KB

    • MD5

      9246a29da060479960879de3db2f1374

    • SHA1

      fecbed5c0e6cce40444994c85caf7cb838b35df7

    • SHA256

      49a4412c27e5eafc4c4365a2b2aeb962d6bf25849ab58d4e7eeb25fcfb934dcd

    • SHA512

      d463a62e867e1b64e1a0fa22583840f6198b8af9e7cafbf6608da726fb94d66184c5abf172c150513a48ea09711633847e429b50bd3d0df09f5168799c640d7f

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Command-Line Interface

1
T1059

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks