General

  • Target

    d85ab2068495ecca61f3f828f8cb4ad83c74beb9f9a25cb660f1c8f7d5e36967

  • Size

    962KB

  • Sample

    210727-vkp7vanq56

  • MD5

    48a19afead6cdf979041d51e24dbedce

  • SHA1

    f5baef2f95f0e8ca96f997e660f3b11aab953b4d

  • SHA256

    d85ab2068495ecca61f3f828f8cb4ad83c74beb9f9a25cb660f1c8f7d5e36967

  • SHA512

    bbc5909ccddb20dd7031935db4dbed10a5131218462a2f4a4a2f8f872dfed50685cc905f7548fa0badbc0e946ef7acb5fcb515aefe998dc6cbd66b81321a362e

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.zaden.online/ard5/

Decoy

withaggency.com

iamtyra.com

classicnothistoric.digital

eugeneoregononline.com

thegioimyphamduc-nhat.info

dreamyyogaco.com

mischerry.com

av-trust.online

vogue.photos

tohidistudio.com

stargazernailsalon.com

mazzarothcl.com

shaowang.net

scdde.com

grupoecojeans.com

fillantrophy.com

niamable.com

loftfashionuntitled.com

caninehealthfarm.com

firstsight-intl.com

Targets

    • Target

      Invoice 474833.exe

    • Size

      1.3MB

    • MD5

      511ea9ea19814aa9d07fb5f1533f6c39

    • SHA1

      7344e3048c6d040f2769cd83c108d9c795a8461b

    • SHA256

      6fa8fec4f4d71ba8aef6d0a96ceec8f22edcd68dd58e41decdd6979b34988827

    • SHA512

      cc93f564ef3d73a1a5935422f1baca721c62f2aae345918291b67881f1f2dc1888b7a9ca9a6924414fab275c2bd88eba57133a4d561971781e5085ec35ed7bee

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

    • CustAttr .NET packer

      Detects CustAttr .NET packer in memory.

    • Formbook Payload

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

1
T1082

Tasks