General

  • Target

    SWF310130709H10170_doc.exe

  • Size

    407KB

  • Sample

    230712-g8cxdscb98

  • MD5

    c55e2d1a636396d2c6e6ec01d339ae54

  • SHA1

    1e08473eddc5f998e9ac98e9edcb381e9a5b471b

  • SHA256

    a2562e99d8118fcd1d9cd40b1811900664bb3bdd6de0caa5c1dfabd595091b66

  • SHA512

    49aadb4c3098f6cd667f4d493236c083be23fac60f3558dc0a0b7cc2ce08b004daf5ca8490317fe4a7121f1f0f98e9fcf9dec3a70ddad3533df5d003b25d7601

  • SSDEEP

    6144:0qaFH+9DAYmH76d3LCC2QMbg6RFKqSMBlFGObd6SN/hnanHy1FZiSGQsBzM:85lYe7euC2ZbXFKZmc86SRhnanHUX7

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b04a

Decoy

abm9527.com

nirvanicplane.com

fridaythefactory.com

selfmadepromotions.com

josephinefilieri.com

paradise-gaming.com

j-ixshop.com

zenxcoin.com

49499h.com

azizaacademy.com

prestigewdb.com

lungudashi.com

cryptosmartmoneysetup.com

taylordforyoubeauty.com

xn--brstungsgelnder-blb21b.com

rowpy.com

kirizy.com

cearasummit.com

newsbeeindia.com

lucroexcepcional.com

Targets

    • Target

      SWF310130709H10170_doc.exe

    • Size

      407KB

    • MD5

      c55e2d1a636396d2c6e6ec01d339ae54

    • SHA1

      1e08473eddc5f998e9ac98e9edcb381e9a5b471b

    • SHA256

      a2562e99d8118fcd1d9cd40b1811900664bb3bdd6de0caa5c1dfabd595091b66

    • SHA512

      49aadb4c3098f6cd667f4d493236c083be23fac60f3558dc0a0b7cc2ce08b004daf5ca8490317fe4a7121f1f0f98e9fcf9dec3a70ddad3533df5d003b25d7601

    • SSDEEP

      6144:0qaFH+9DAYmH76d3LCC2QMbg6RFKqSMBlFGObd6SN/hnanHy1FZiSGQsBzM:85lYe7euC2ZbXFKZmc86SRhnanHUX7

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Formbook payload

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks