General

  • Target

    NEW ORDER.exe

  • Size

    277KB

  • Sample

    210507-m28fqbfza6

  • MD5

    fdb13566001939b797325265bc1048e0

  • SHA1

    096a63354f73bcc105030ede2f04c5bb12cf2711

  • SHA256

    3f2cdc7783014a37d7ad61ee00c226d5221d4932f4113eb3590a9c9d0447b461

  • SHA512

    faac103a3a220885b3e4ec848e384e9b8b7ce9a19ab90c97d6319106e0a00275b0d6a51ab94e63bad147e2bcb32cc8ef051705c3b5e019ae1374cfdb901bf934

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.knighttechinca.com/dxe/

Decoy

sardarfarm.com

959tremont.com

privat-livecam.net

ansel-homebakery.com

joysupermarket.com

peninsulamatchmakers.net

northsytyle.com

radioconexaoubermusic.com

relocatingrealtor.com

desyrnan.com

onlinehoortoestel.online

enpointe.online

rvvikings.com

paulpoirier.com

shitarpa.net

kerneis.net

rokitreach.com

essentiallygaia.com

prestiged.net

fuerzaagavera.com

Targets

    • Target

      NEW ORDER.exe

    • Size

      277KB

    • MD5

      fdb13566001939b797325265bc1048e0

    • SHA1

      096a63354f73bcc105030ede2f04c5bb12cf2711

    • SHA256

      3f2cdc7783014a37d7ad61ee00c226d5221d4932f4113eb3590a9c9d0447b461

    • SHA512

      faac103a3a220885b3e4ec848e384e9b8b7ce9a19ab90c97d6319106e0a00275b0d6a51ab94e63bad147e2bcb32cc8ef051705c3b5e019ae1374cfdb901bf934

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Tasks