General

  • Target

    Attached TT Payment Copy(USD 198,550.05).exe

  • Size

    765KB

  • Sample

    220801-kxfqpafgfn

  • MD5

    38aaaf950849630a2a3282b203532d79

  • SHA1

    6448bd7ab4c04294020479963e53f0fbbe4ecc28

  • SHA256

    a6e702e43965539bad67320474a1abe16545481c599c2200acabe41ec2ce4eb7

  • SHA512

    9de881c36367c42c639dc659c2f1565ee264909dd6823e26a97b05acc4c0ed3a30a6ed0d4d58c556d76fa6a2c1e8e29d731a43143df9c5b775f16b7222b4c0f3

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d27e

Decoy

lilysbusride.com

cloud-sechs.com

danpro.co.uk

wendoortech.com

playgroundrebellion.com

betventures.xyz

digimediasolution.net

abrahambetrayedus.com

whinefree.com

realeurolicence.com

makelovetrip.com

damediaagency.com

pinaralsan.com

5bobitw.com

shootingkarelia.online

website-staging.pro

manassadhvi.online

bathroomandkitcenking.com

realtormarket.net

dfysupport.com

Targets

    • Target

      Attached TT Payment Copy(USD 198,550.05).exe

    • Size

      765KB

    • MD5

      38aaaf950849630a2a3282b203532d79

    • SHA1

      6448bd7ab4c04294020479963e53f0fbbe4ecc28

    • SHA256

      a6e702e43965539bad67320474a1abe16545481c599c2200acabe41ec2ce4eb7

    • SHA512

      9de881c36367c42c639dc659c2f1565ee264909dd6823e26a97b05acc4c0ed3a30a6ed0d4d58c556d76fa6a2c1e8e29d731a43143df9c5b775f16b7222b4c0f3

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Tasks