General
-
Target
SOA_invoice_5940pdf8476.exe
-
Size
613KB
-
Sample
220929-bcsp3saeej
-
MD5
bd370e9146f8eb86733ec0d53e221a53
-
SHA1
231a59c619d85d4fb0b13ddfcb4513c0c115f815
-
SHA256
2d34e24ee550030b1725687c80760814ce8838bcfb1bdf12dd1c3e33bf1c055c
-
SHA512
72ef7516e8e04868ab953f04cc62d4ef3d6e8d5f59c149fed792bad53da69e1d3171c5e15067e29d9a904209123962e437934fd4102598d5630940833cc4b142
-
SSDEEP
12288:VToPWBv/cpGrU3ypG+GDGcfwfZs0BBZlb0mYAWE0fnp:VTbBv5rUOvGDGcfWZNlVl5Ap
Malware Config
Extracted
formbook
hzb3
BVGWUXYpaaEaNSjsCHhJnDJz463cqQ==
CEqdZb0KaOLLbWqrDVTgc20=
nBv0jSFiQHxtE6awQnm2
E1sGpCJYtB8ImaguUyF6yQ==
PMBND7LzJGZH7CXulclbs2c=
u9zzlFGDXo6LLbGwQnm2
SaJjLbtVlMgsP5ZQRj4=
wckwEbwBbKA2X3g=
rPxB8ePUxfu4pilu
S562QFeKY5P//qawQnm2
BkEfWXZuY3ihKW8=
ZanakqMxkP7VdNfWdD4FGDqF
PYYbtzdINC1J0OYzQCk=
Fmg9LBxaPQ==
4eXWfoC06yGAkQ0l+Txs2w==
n68j2X6+CIhsD5GiCMYBsHI=
hRv6hpW3qfLbdI1XJ/J825G1TslJ+1JE
X6PAVGfwPHihKW8=
7zn1tkuDaZ2FKbGwQnm2
lB0m5ghWsSmMpIUS8EBM31l/463cqQ==
Targets
-
-
Target
SOA_invoice_5940pdf8476.exe
-
Size
613KB
-
MD5
bd370e9146f8eb86733ec0d53e221a53
-
SHA1
231a59c619d85d4fb0b13ddfcb4513c0c115f815
-
SHA256
2d34e24ee550030b1725687c80760814ce8838bcfb1bdf12dd1c3e33bf1c055c
-
SHA512
72ef7516e8e04868ab953f04cc62d4ef3d6e8d5f59c149fed792bad53da69e1d3171c5e15067e29d9a904209123962e437934fd4102598d5630940833cc4b142
-
SSDEEP
12288:VToPWBv/cpGrU3ypG+GDGcfwfZs0BBZlb0mYAWE0fnp:VTbBv5rUOvGDGcfWZNlVl5Ap
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext
-