General

  • Target

    REVISED INVOICE DETAILS.rar

  • Size

    940KB

  • Sample

    210726-6f4bsww742

  • MD5

    bf6f5d6dd2f5109f0330db8b5f4e54e7

  • SHA1

    e8dff94fbbc03a199dd7e190838bbbe9b8e02522

  • SHA256

    2da40a3eddfabf08bbf581329e88f79f4038e38edf8fbc7ce0f45d0ba9499a71

  • SHA512

    9eba90fed5031015d31ce2a760cd82494e0abf8d69b3b912e64c50e8dca7c7a6ec90887d77e932b6601ec1aeb1a07060ade936e5453bd121e93f0bb76ce32a33

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.fabricwarehousebrla.com/mjf5/

Decoy

scxmarine.com

4week-keto-results.com

alllivesmattertojesus.info

stoxets.com

psm-gen.com

u2collect.com

steveandgail.com

dgemediagroup.com

ragsxghi.com

hirobasushinv.com

fcvlamingo.com

thebrownseaproject.com

achalaproductions.com

unstoppableinvesting.com

epay12303.com

polenmoda.com

pgpitagi.com

picksfacts.com

allhubph.com

negociandocomvocebr.com

Targets

    • Target

      REVISED INVOICE DETAILS.exe

    • Size

      1.2MB

    • MD5

      f085c3358b59f0f7233e460816b9cffd

    • SHA1

      1fa9928211033fd8afadc910e5acbd608d2686d1

    • SHA256

      ac4d23b56b2aac65756dafc7d6ff505ba986f40410370ca4c094f0530e399d79

    • SHA512

      88525849adc8ea59bf90a3e95d284b66514e24a955f059d1be29eab26e9d052d6dcd353668a3330055478b5c982ce508a8aa2aabe42dfc99979c9a4a70637d43

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Formbook Payload

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

1
T1082

Tasks