General

  • Target

    36ea0fcb3de1dc5e44093421767b3d4ce59b7a04e2d800d663ae63c745e0c98b.zip

  • Size

    507KB

  • Sample

    240511-blsfnscf9x

  • MD5

    1ed979112a4dbdcd8493f612d656ed1f

  • SHA1

    046867a298a2425bf7d186e9d876d2316a7cecbf

  • SHA256

    36ea0fcb3de1dc5e44093421767b3d4ce59b7a04e2d800d663ae63c745e0c98b

  • SHA512

    1df21665c69f7b62fcfb6bc4f8dcdb370d7a33438c895a4ea99a2ff3f8b345eec12ca966df5e5801c9017024ec3ae4e631ba38712159eab22bca8e007bd6d771

  • SSDEEP

    6144:UyKMeQYD+lA9jGKocCU2u8Sof1Bu1oowhqnXr9EXGgmV8qSMikJseAmAzRaviWe:nKMeD6e4FcCTSoDW1AVmVLSMtAzAviWe

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ij84

Decoy

resetter.xyz

simonbelanger.me

kwip.xyz

7dbb9.baby

notion-everyday.com

saftiwall.com

pulse-gaming.com

fafafa1.shop

ihaveahole.com

sxtzzj.com

996688x.xyz

komalili.monster

haberdashere.store

nurselifegng.com

kidtryz.com

ghvx.xyz

1minvideopro.com

hidef.group

stylishbeststyler.space

spx21.com

Targets

    • Target

      NEW ORDER43524#.exe

    • Size

      816KB

    • MD5

      240f134e5318c9efc8f4edb219a9b16f

    • SHA1

      7150a57a5817c1602524fc2b3b8dfc2910b77148

    • SHA256

      9dad6e1350810eaee247d225c134a39441f286907c861fd6c825656cc9224613

    • SHA512

      704090e6007ae618f397d86ec1c7ffd8b2152cb2dfcbe6813a4d04963f07805ff7fd7f3ae4bdf99477f0791c31ede7609f59265a803893c7c89f07b62841f581

    • SSDEEP

      12288:JYuePwisfcgWf/j5VtK+CVINMX9yKBg7vj1UJ:2uIydk/jPoi+9yKe/1U

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks