General

  • Target

    QUOTATION.exe

  • Size

    761KB

  • Sample

    220126-tbsykafda8

  • MD5

    b7cd2e625aa05005e2326e5e6158a560

  • SHA1

    420a83cd1c1703fbf7aeb8b7e51c46c407e5d6b5

  • SHA256

    f08bb3738306349fa7b9217837de2e959cba48fdceb4ada3d3b58533bb3527f2

  • SHA512

    c53ea74a3da53f82bc12bbe0d10a8050d8747737b3cff118465357c278d05b7ddf185b4f53759e636cf7da6000a6036220f1d3df3faa15b00e13f6c33ba18b30

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

e10p

Decoy

pompland.com

hybikebbs.com

sacramentocommercial.net

dixietales.com

rakan-group.com

wanmeipp.com

brandonwestjacksonville.com

jschenjitong.com

sedarous.com

cheapflightsandhotels.net

effectivehomeloans.com

haru-kun.com

pure-heartfelt.com

tlbdsm72.com

avantcarmomento.com

flighthonestpaulvids.com

xn--ok0b350biyc97gvlg.com

3bmmxvn.life

force-win.info

shvecarskiy-stil.store

Targets

    • Target

      QUOTATION.exe

    • Size

      761KB

    • MD5

      b7cd2e625aa05005e2326e5e6158a560

    • SHA1

      420a83cd1c1703fbf7aeb8b7e51c46c407e5d6b5

    • SHA256

      f08bb3738306349fa7b9217837de2e959cba48fdceb4ada3d3b58533bb3527f2

    • SHA512

      c53ea74a3da53f82bc12bbe0d10a8050d8747737b3cff118465357c278d05b7ddf185b4f53759e636cf7da6000a6036220f1d3df3faa15b00e13f6c33ba18b30

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook Payload

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Tasks