General

  • Target

    PRAĆENJE.exe

  • Size

    500KB

  • Sample

    230711-p5cq8aab6v

  • MD5

    ed28797b223174c35338e9c60d458647

  • SHA1

    61421c29e59c86650f90eac70ba0670b04694eb8

  • SHA256

    bf83191dd578c7d4a1ba6c1b3e951aff4fe1b6b2dc59b8dc534f66ba0b530d47

  • SHA512

    6b177c0a1c8793a979237d796ef1b971f74f01b0add120a279bd1540452b328a01ee3647434f850bad99e5a2e53d24639307145711d0d159e87f469319ed463a

  • SSDEEP

    12288:sC3+YT7k0PwTrVg0iT0kB8deUeLZ+pH7f0O58oAUjXA:sa+YHL41gh0/qU3+vULA

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

il09

Decoy

ahy99.com

tmzrygdv.cfd

trainingwithoutnerves.com

loaddirecters.com

elocquinn.com

sunnahscents.com

jogobrgames.xyz

skinkissedaesthetics.com

943465722.xyz

jopkrrub.cfd

kavrex.com

sensori.host

sybrstrmtdiyari.com

ourouba22.app

smilebrandsbreacsettlement.com

72um.asia

kenleyeventdesign.com

mandalastudioonline.com

much2more.com

beckettbees.com

Targets

    • Target

      PRAĆENJE.exe

    • Size

      500KB

    • MD5

      ed28797b223174c35338e9c60d458647

    • SHA1

      61421c29e59c86650f90eac70ba0670b04694eb8

    • SHA256

      bf83191dd578c7d4a1ba6c1b3e951aff4fe1b6b2dc59b8dc534f66ba0b530d47

    • SHA512

      6b177c0a1c8793a979237d796ef1b971f74f01b0add120a279bd1540452b328a01ee3647434f850bad99e5a2e53d24639307145711d0d159e87f469319ed463a

    • SSDEEP

      12288:sC3+YT7k0PwTrVg0iT0kB8deUeLZ+pH7f0O58oAUjXA:sa+YHL41gh0/qU3+vULA

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Formbook payload

    • Adds policy Run key to start application

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks