General

  • Target

    LS24SDE.exe

  • Size

    634KB

  • Sample

    240508-jepp7sca83

  • MD5

    70625bcdbd35c6873bfef64197312647

  • SHA1

    64864eed1451eae8d076458fb6bc005137d1e7c4

  • SHA256

    0445cc730c308b40378c9133d394004d55dfdcb03db7d26485736471af6ba41e

  • SHA512

    f2f709d3586c95daa1cf50715974fb0f55252142edcba96ee069b2e9ad10feb7ee83d56a68a0e7c0cc4792aacd944b4fe10de5b8459b23d80ce4f6ea2172725f

  • SSDEEP

    12288:biETpbMlZRJIC/6GEmg3NQOqRK5sK3LIsbqZBma+LTpkh8WINLKtlcPK5S4T:HbmJIC/3DRTK3wmpmtQK5p

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jn17

Decoy

hynasty.com

africacementreview.com

5280micropantry.com

qcyu2.us

jl777-web.com

hcwsports.com

update-number-au.com

ymymvip.top

postds.buzz

dogwifnobrim.com

usapubpong.com

shopscoopido.com

medical-equipment.company

onyagu.com

tldrparent.com

jvpeople.com

seangalbraithphotography.com

ptt-gov.art

mutcosmeticsec.com

metameme.online

Targets

    • Target

      LS24SDE.exe

    • Size

      634KB

    • MD5

      70625bcdbd35c6873bfef64197312647

    • SHA1

      64864eed1451eae8d076458fb6bc005137d1e7c4

    • SHA256

      0445cc730c308b40378c9133d394004d55dfdcb03db7d26485736471af6ba41e

    • SHA512

      f2f709d3586c95daa1cf50715974fb0f55252142edcba96ee069b2e9ad10feb7ee83d56a68a0e7c0cc4792aacd944b4fe10de5b8459b23d80ce4f6ea2172725f

    • SSDEEP

      12288:biETpbMlZRJIC/6GEmg3NQOqRK5sK3LIsbqZBma+LTpkh8WINLKtlcPK5S4T:HbmJIC/3DRTK3wmpmtQK5p

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks