General

  • Target

    Invoice.exe

  • Size

    993KB

  • Sample

    221209-rk4qbagb81

  • MD5

    6f4d64fcfbc82b91eb1f5e9fcffd15d3

  • SHA1

    1ebe973942db3da29de1dc292b8a0c8601f1e7a0

  • SHA256

    b747df969c4c80638e92b68759a8ced53c3d14bf705ad0fece792a566c9f3de9

  • SHA512

    073b24ff9c67c8005419678674f2aa79b72a38566a5496023def857379a7a2b8e4468d3f2803da81900eb3c8d80809e6d9a20fea2ef9c7a94f726f27cabc038c

  • SSDEEP

    24576:LIfkZ8IvMSd+WmvcGi+Dgr1hJsOSt3RpLJjpF:LNhvgOGNDO7Hyp

Malware Config

Extracted

Family

formbook

Campaign

wu27

Decoy

69/AbbgufRx7loCQ5G4WYQ==

uydiDFvHsFxlIrdq

NBlmCe8ii+DEa2ye5G4WYQ==

LicGnHCl/UZ2UMg=

e2lQ8e1lsXvAeX+U5G4WYQ==

2bF/M54rOGusdYqc5G4WYQ==

mQLidD9i82JIsrqysw==

ZdlDYrcsl/L9eH+U5G4WYQ==

80ucyjCJdqXkcNI=

/eg6aKbVvNkwOcxzZyAx3cCTN5E=

lflaF0MvE+fHXoWmrg==

qRfykIXbxMkND1kwe3I=

s6iSNSVOMwnpvFDxdFLlOfqBMw==

imkLObSlIdc=

oBUBm36yNaZ99JYxenA=

ngFE7+IP8Te6N75o

O6Htl8Oyjb0Msrqysw==

f4JgCEnC0LEC9w==

9+dNeq/hVxaAhxzT1pbgzZ2mb3Nf

980jQpYF3y1wMomLfWU=

Targets

    • Target

      Invoice.exe

    • Size

      993KB

    • MD5

      6f4d64fcfbc82b91eb1f5e9fcffd15d3

    • SHA1

      1ebe973942db3da29de1dc292b8a0c8601f1e7a0

    • SHA256

      b747df969c4c80638e92b68759a8ced53c3d14bf705ad0fece792a566c9f3de9

    • SHA512

      073b24ff9c67c8005419678674f2aa79b72a38566a5496023def857379a7a2b8e4468d3f2803da81900eb3c8d80809e6d9a20fea2ef9c7a94f726f27cabc038c

    • SSDEEP

      24576:LIfkZ8IvMSd+WmvcGi+Dgr1hJsOSt3RpLJjpF:LNhvgOGNDO7Hyp

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks