General

  • Target

    New Inquiry.gz

  • Size

    204KB

  • Sample

    221017-pkwctsbge5

  • MD5

    5141a713766e6038c2115eaa9feb7f78

  • SHA1

    5f423d3813890f30a1ec915e6a091efd8ffb4bbb

  • SHA256

    43963f663331f1fa8342f4e3b7b2112e705ab5094b63bf51a639223321dcc901

  • SHA512

    db9d56a28e8f7f7096fd65f9d9d5f020d59b1c462eb0ff1e7e701204535da83e85ffa7b2a0359976d879b8cf2d3f02731288df8c2a5daf1adba2c8b391fc4f7e

  • SSDEEP

    6144:/iw770eKlIyKefdOd9P7w7wcSWk5BHX5m5Xd8:D77PKlKjdMwcSDB35m9K

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d06c

Decoy

douglasdetoledopiza.com

yxcc.online

primo.llc

mediamomos.com

cosmetiq-pro.com

22labs.tech

turbowashing.com

lindaivell.site

princess-bed.club

groundget.cfd

agretaminiousa.com

lomoni.com

nessesse.us

lexgo.cloud

halilsener.xyz

kirokubo.cloud

corotip.sbs

meghq.net

5y6s.world

weasib.online

Targets

    • Target

      New Inquiry/New inquiry.exe

    • Size

      236KB

    • MD5

      dd1a098f5e803e0d80f1d7a7333ca8a5

    • SHA1

      224bf29996d204c81e825c28b2955a6f2f01973f

    • SHA256

      48c09aadd19df65dcb19eed8da77377e60aa7e6e5cba53ba0507faa9c550c193

    • SHA512

      d0ef4d2a6dda49b0c513fb76a81f78cba3c67ace14b7254c580b8c41972406bbe3324c0ae7d5bd3e23ee916b8a9080c25b331a80ccf727635da373682627bfc1

    • SSDEEP

      6144:i6bAcJ3iiPiaIj0sBo+0iBDQp9tHjaq8fRlilqaerDbI6Iu:JjIj0op0i1iHHTn0nkO

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Loads dropped DLL

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Tasks