General

  • Target

    Shipment Document BL,INV and packing list.jpg.ace

  • Size

    190KB

  • Sample

    221027-nvkhmscaa3

  • MD5

    432b71470c9c428dafb9bbe4aff7f043

  • SHA1

    c4cc85c90067d0401a4a3bbf69cc2c5fb79a9d55

  • SHA256

    b20f21ae03c89db71ee631ee00a03d45de97a3c15e6045d75bc045cd7e3b5c6a

  • SHA512

    60605431d4c082e3abdfd8ef4c54eabb76624b117fd499a99601150a7d4d730874e79bd8e23645be794e39e10e38ac30f3325bcce54ab21f055887e87a688f46

  • SSDEEP

    3072:NdZxywLo3yMDAAGEzzhd4egV6psjvaemFXNCuhq4LGYofQQqBS6dlksEmLgyqROq:Jx5LovAAGkzD4RJOFXNPq4Po4QLCEIgF

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d06c

Decoy

douglasdetoledopiza.com

yxcc.online

primo.llc

mediamomos.com

cosmetiq-pro.com

22labs.tech

turbowashing.com

lindaivell.site

princess-bed.club

groundget.cfd

agretaminiousa.com

lomoni.com

nessesse.us

lexgo.cloud

halilsener.xyz

kirokubo.cloud

corotip.sbs

meghq.net

5y6s.world

weasib.online

Targets

    • Target

      Shipment Document BL,INV and packing list.jpg.exe

    • Size

      323KB

    • MD5

      858a0b8a0c24df21ce22f3ff702a3737

    • SHA1

      f285429ebe2a75c143abe1fd579c979122c6afe0

    • SHA256

      88819addd430324a7461bdf59c1ab994bc613bb2b17f09e572b7ba1c0c47e6f9

    • SHA512

      cfdab69ebe17d666b05a399c935a28f411a9bc1a5c014dd1fa533043992b7a947d6417982011b9fabc76c21d2d294d6384a2157580fc30b4ef46e53eb0c57ca7

    • SSDEEP

      6144:/6dbOGzzzzzzzzzzzzzzzzzzzzzzzzzzzzkzTzzzzzzQtkauL/sVfEBlUbrQ2Inh:itka2UbrQlZI/JTV6V7KAF

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Drops file in System32 directory

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks