General

  • Target

    01e091955a83ba50c3b6324a89c6007d77798134465e1189cc3259906785262b.exe

  • Size

    1.2MB

  • Sample

    240522-r1eq5aef7y

  • MD5

    ae2709b53bbe59af6094b3721d2e43e4

  • SHA1

    85dd2c7acf90d25e656598d30008bc77f3d4a60b

  • SHA256

    01e091955a83ba50c3b6324a89c6007d77798134465e1189cc3259906785262b

  • SHA512

    9c62a99a932e173939614c638d524ce33ee68b5985eda8e9737f07584a8c9f40c8b13b42b206d6a221092bdd2aa39a5ab3860a3ca6a877282578e2bf587d124b

  • SSDEEP

    24576:LiTAD3InHT6elgPzH6s5K4Z3LpNnp+JNwIl7TaTpCGCcYjb:LeM3LjgTv5T09nYjb

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy14

Decoy

mavbam.com

theanhedonia.com

budgetnurseries.com

buflitr.com

alqamarhotel.com

2660348.top

123bu6.shop

v72999.com

yzyz841.xyz

247fracing.com

naples.beauty

twinklethrive.com

loscaseros.com

creditspisatylegko.site

sgyy3ej2dgwesb5.com

ufocafe.net

techn9nehollywoodundead.com

truedatalab.com

alterdpxlmarketing.com

harborspringsfire.com

Targets

    • Target

      01e091955a83ba50c3b6324a89c6007d77798134465e1189cc3259906785262b.exe

    • Size

      1.2MB

    • MD5

      ae2709b53bbe59af6094b3721d2e43e4

    • SHA1

      85dd2c7acf90d25e656598d30008bc77f3d4a60b

    • SHA256

      01e091955a83ba50c3b6324a89c6007d77798134465e1189cc3259906785262b

    • SHA512

      9c62a99a932e173939614c638d524ce33ee68b5985eda8e9737f07584a8c9f40c8b13b42b206d6a221092bdd2aa39a5ab3860a3ca6a877282578e2bf587d124b

    • SSDEEP

      24576:LiTAD3InHT6elgPzH6s5K4Z3LpNnp+JNwIl7TaTpCGCcYjb:LeM3LjgTv5T09nYjb

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Adds policy Run key to start application

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Execution

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

2
T1112

Scripting

1
T1064

Tasks