General

  • Target

    Pedido de compra urgente.exe

  • Size

    1.2MB

  • Sample

    240521-ebphtagd66

  • MD5

    ae2709b53bbe59af6094b3721d2e43e4

  • SHA1

    85dd2c7acf90d25e656598d30008bc77f3d4a60b

  • SHA256

    01e091955a83ba50c3b6324a89c6007d77798134465e1189cc3259906785262b

  • SHA512

    9c62a99a932e173939614c638d524ce33ee68b5985eda8e9737f07584a8c9f40c8b13b42b206d6a221092bdd2aa39a5ab3860a3ca6a877282578e2bf587d124b

  • SSDEEP

    24576:LiTAD3InHT6elgPzH6s5K4Z3LpNnp+JNwIl7TaTpCGCcYjb:LeM3LjgTv5T09nYjb

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy14

Decoy

mavbam.com

theanhedonia.com

budgetnurseries.com

buflitr.com

alqamarhotel.com

2660348.top

123bu6.shop

v72999.com

yzyz841.xyz

247fracing.com

naples.beauty

twinklethrive.com

loscaseros.com

creditspisatylegko.site

sgyy3ej2dgwesb5.com

ufocafe.net

techn9nehollywoodundead.com

truedatalab.com

alterdpxlmarketing.com

harborspringsfire.com

Targets

    • Target

      Pedido de compra urgente.exe

    • Size

      1.2MB

    • MD5

      ae2709b53bbe59af6094b3721d2e43e4

    • SHA1

      85dd2c7acf90d25e656598d30008bc77f3d4a60b

    • SHA256

      01e091955a83ba50c3b6324a89c6007d77798134465e1189cc3259906785262b

    • SHA512

      9c62a99a932e173939614c638d524ce33ee68b5985eda8e9737f07584a8c9f40c8b13b42b206d6a221092bdd2aa39a5ab3860a3ca6a877282578e2bf587d124b

    • SSDEEP

      24576:LiTAD3InHT6elgPzH6s5K4Z3LpNnp+JNwIl7TaTpCGCcYjb:LeM3LjgTv5T09nYjb

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Adds policy Run key to start application

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Mark of the Web detected: This indicates that the page was originally saved or cloned.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Collection

Data from Local System

1
T1005

Tasks