General

  • Target

    rFATURA_pdf.exe

  • Size

    160KB

  • Sample

    230718-e78xbsha7v

  • MD5

    4c657eec9af70a8027e1842c7effbe9b

  • SHA1

    e37ff77323fe993dda213813246bd0184fe59142

  • SHA256

    93ed7e400500fb1e4be9421400e42ddab0b5cac500929f28bab9fee0c8afea00

  • SHA512

    b5f5333a4474728b6cefee08d306c42bd469853b50669a5a37344b6c8bbe4b64c3e091e0cc70bb968e391b5f88fa42107067eb40a648477b023e1b4a9078d37d

  • SSDEEP

    3072:+NzPHk9MpcQbe0/tU8VmX0KvW8fSPi/mrjubLJ986/J0k+wgTePEGAkjoD+XFgKc:+hRF5/28VmvvEiQEJ986KNTePEN1+1g3

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ls65

Decoy

reumatologia.page

bb7026.com

okxxiazai.xyz

okelah01.click

chewindustries.com

hirokusetu.site

oapukcln.cfd

vicscateringevents.com

tbmxliea.cfd

angelfire.live

dotphysicalhuntsville.com

jeacon.amsterdam

ujukpquq.cfd

iabq.top

v8zxdv.cfd

l6tdkz.cfd

xmsp.xyz

shopbathroomsink.com

farmasiecuador.site

kosher-bookings.com

Targets

    • Target

      rFATURA_pdf.exe

    • Size

      160KB

    • MD5

      4c657eec9af70a8027e1842c7effbe9b

    • SHA1

      e37ff77323fe993dda213813246bd0184fe59142

    • SHA256

      93ed7e400500fb1e4be9421400e42ddab0b5cac500929f28bab9fee0c8afea00

    • SHA512

      b5f5333a4474728b6cefee08d306c42bd469853b50669a5a37344b6c8bbe4b64c3e091e0cc70bb968e391b5f88fa42107067eb40a648477b023e1b4a9078d37d

    • SSDEEP

      3072:+NzPHk9MpcQbe0/tU8VmX0KvW8fSPi/mrjubLJ986/J0k+wgTePEGAkjoD+XFgKc:+hRF5/28VmvvEiQEJ986KNTePEN1+1g3

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Formbook payload

    • Checks QEMU agent file

      Checks presence of QEMU agent, possibly to detect virtualization.

    • Deletes itself

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks