General

  • Target

    RFQ5462-PO22000850.pdf.exe

  • Size

    613KB

  • Sample

    220725-k5l8fabgep

  • MD5

    3ba5f2da42cf3865b04008a26744d346

  • SHA1

    2b897b32de43663cce219db2e7c64aa7315ad6f5

  • SHA256

    a06756251dbd94ca9bbecb73e4b5e9c768d3fada398cccae4a59323aebb31eab

  • SHA512

    5cda5d155abbb748a9845ba2e7b6a10dbc299101b4ad3c641da558b0420a418738c5b8397f6fe5b76c1afb8b54c83137c9803afe32de7fb9a57e42166bc81811

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

t19g

Decoy

playstationspiele.com

cakesbyannal.com

racepin.space

anti-offender.com

magnetque.com

farragorealtybrokerage.com

khuludmohammed.com

v33696.com

84ggg.com

d440.com

soccersmarthome.com

ofthis.world

fivestaryardcards.com

lusyard.com

gghft.com

viajesfortur.com

rationalirrationality.com

hanaramenrestaurant.com

exactlycleanse.com

martensenargentina.com

Targets

    • Target

      RFQ5462-PO22000850.pdf.exe

    • Size

      613KB

    • MD5

      3ba5f2da42cf3865b04008a26744d346

    • SHA1

      2b897b32de43663cce219db2e7c64aa7315ad6f5

    • SHA256

      a06756251dbd94ca9bbecb73e4b5e9c768d3fada398cccae4a59323aebb31eab

    • SHA512

      5cda5d155abbb748a9845ba2e7b6a10dbc299101b4ad3c641da558b0420a418738c5b8397f6fe5b76c1afb8b54c83137c9803afe32de7fb9a57e42166bc81811

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • suricata: ET MALWARE FormBook CnC Checkin (GET)

      suricata: ET MALWARE FormBook CnC Checkin (GET)

    • suricata: ET MALWARE FormBook CnC Checkin (POST) M2

      suricata: ET MALWARE FormBook CnC Checkin (POST) M2

    • Formbook payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Collection

Data from Local System

1
T1005

Tasks