General

  • Target

    7c772a450cabca67d3a26705253f64e94188478c13edfabd5e664c4ba8313bdf

  • Size

    1.6MB

  • Sample

    220724-sl3p3sgea3

  • MD5

    ebd122da55fa80d44675eac85acde174

  • SHA1

    2fae562525109254ba01034ad6ded13e09caaa25

  • SHA256

    7c772a450cabca67d3a26705253f64e94188478c13edfabd5e664c4ba8313bdf

  • SHA512

    0684b6061f6b34f726d793e8d8b4acf3e6e2cc1f1c0bdb139e95408844ade4e83eb210b6e2b3946d0ed44cef6b5a5c3ddf8df2c83289ec283761615c671c4311

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

kb

Decoy

dardacha.info

zhiyun-ukraine.com

younganalvirgins.com

clubwaka.guide

frasesdolivroolharmaligno.com

494tox.info

vets.expert

unlock-payment-billing.com

carlooks.win

adolescancerecklessness.com

canadawednesday.site

musicforpictures.net

les-santolines.com

bankrott.tips

kngco.info

www9921o.com

smarterprotection.info

prophcorehosting.com

yoohoo.site

busbed.date

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.mail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    kelechi1

Targets

    • Target

      7c772a450cabca67d3a26705253f64e94188478c13edfabd5e664c4ba8313bdf

    • Size

      1.6MB

    • MD5

      ebd122da55fa80d44675eac85acde174

    • SHA1

      2fae562525109254ba01034ad6ded13e09caaa25

    • SHA256

      7c772a450cabca67d3a26705253f64e94188478c13edfabd5e664c4ba8313bdf

    • SHA512

      0684b6061f6b34f726d793e8d8b4acf3e6e2cc1f1c0bdb139e95408844ade4e83eb210b6e2b3946d0ed44cef6b5a5c3ddf8df2c83289ec283761615c671c4311

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • HawkEye

      HawkEye is a malware kit that has seen continuous development since at least 2013.

    • Formbook payload

    • NirSoft MailPassView

      Password recovery tool for various email clients

    • NirSoft WebBrowserPassView

      Password recovery tool for various web browsers

    • Nirsoft

    • Executes dropped EXE

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Uses the VBS compiler for execution

    • Accesses Microsoft Outlook accounts

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks