General

  • Target

    INVOICES.exe

  • Size

    996KB

  • Sample

    220803-1jq79sffg4

  • MD5

    edfc6e2add36e49c8c9e010db0eb0632

  • SHA1

    69697675cdc6d2c26db0709339bfd8f42044e7b6

  • SHA256

    86871dd03f2da6c6de34710060ddc726fae5907f1f48d37c26d23f4d3d3f9bb8

  • SHA512

    61dd86fe6c09ecb2e8e107a0aa6f93d0d44334f873c3fb4b842be5e4da26e72ad53cc65c202fe9aca0ef540021ed4ddbe4f3fa9030886d835ff6ad74c894cac6

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ee27

Decoy

gasimportsfiles.com

hospitaljobsindia.com

mymortgagecantips.xyz

yourenotalone.world

livethejesuslife.com

sobernv.com

bobgruber.online

badu100.com

id98qq12.com

naturalex.co.uk

metathrillrides.com

blessingstowing.com

juddsbarandgrill.com

qrcodemania.com

haodaculture.com

obot.xyz

soupmortgagemark.xyz

top-road.com

xiaoterv.com

madrstyonline.com

Targets

    • Target

      INVOICES.exe

    • Size

      996KB

    • MD5

      edfc6e2add36e49c8c9e010db0eb0632

    • SHA1

      69697675cdc6d2c26db0709339bfd8f42044e7b6

    • SHA256

      86871dd03f2da6c6de34710060ddc726fae5907f1f48d37c26d23f4d3d3f9bb8

    • SHA512

      61dd86fe6c09ecb2e8e107a0aa6f93d0d44334f873c3fb4b842be5e4da26e72ad53cc65c202fe9aca0ef540021ed4ddbe4f3fa9030886d835ff6ad74c894cac6

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • ModiLoader, DBatLoader

      ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    • Formbook payload

    • ModiLoader Second Stage

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Adds Run key to start application

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Tasks