General

  • Target

    PO_SFOWRN5.exe

  • Size

    552KB

  • Sample

    221204-bn5h1shf6v

  • MD5

    af3f0a8b0c0568f110f3b1fdcd70ad42

  • SHA1

    9a5e79a01df75bcb04705ababdd062c2074486e2

  • SHA256

    e7529a2d209e8f8405bfc92ae8f79486335989c0dcb472b678335db442fc6c04

  • SHA512

    c47b704650f791386355068524daf9a1208deb1ece9838175cbe9f41c18c34cf61df96c836ca1781db2e0c986749af7268229e8b29abdcea1c636a04a81f342c

  • SSDEEP

    12288:0oq78ingp/U7aZl/vJJfBbJMlpsG9+9jq:dq7roauJ3JMl9M9j

Malware Config

Extracted

Family

formbook

Campaign

n2hm

Decoy

XCeG4IxNKbAl

YzJWbnC+El84nA==

KAJcdmP8yEcO5LXPCFF42Wfb

I+J+xYO95GJQWVU=

GtgxPPv3FmQmhw==

Og9NYF4xEl+j7vGTR93xvg==

506Cg07bsT0G6yK+A96H0h35V+JLkwI=

wAYXFN+pSFIXgQ==

ijzLI/f+FmQmhw==

UfT2PweNm+w8

GQWVw5aZnfF/kS5e

30BKYjua9zcA7gAwsPUngLnjyrBNEgo=

AM65OrmyFmQmhw==

VSlTVxISZ4J/kS5e

GGKj6K33SRh6e0/YzT5nQGlK5CXRqw==

B9H98cUUfX+AWOqiTA==

MxVffWOIoVnM37zrd2sTaOY=

z6bxCgG/mGhR7oDzQA==

pQgSLSRi6AK3M/PdArpX

6rRRsYuSnXx/kS5e

Targets

    • Target

      PO_SFOWRN5.exe

    • Size

      552KB

    • MD5

      af3f0a8b0c0568f110f3b1fdcd70ad42

    • SHA1

      9a5e79a01df75bcb04705ababdd062c2074486e2

    • SHA256

      e7529a2d209e8f8405bfc92ae8f79486335989c0dcb472b678335db442fc6c04

    • SHA512

      c47b704650f791386355068524daf9a1208deb1ece9838175cbe9f41c18c34cf61df96c836ca1781db2e0c986749af7268229e8b29abdcea1c636a04a81f342c

    • SSDEEP

      12288:0oq78ingp/U7aZl/vJJfBbJMlpsG9+9jq:dq7roauJ3JMl9M9j

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks