General

  • Target

    047a5be8903cdbf5dc75d20570a542b9b36b8e38f05f9ed1cfd9fa66ed70cae9.zip

  • Size

    3KB

  • Sample

    240710-rn8hnsvepd

  • MD5

    d40e770f7e79ad3c8d83617022868da5

  • SHA1

    7f76ca9a559a3ecdcc17e31730ec8f954fae5a9c

  • SHA256

    047a5be8903cdbf5dc75d20570a542b9b36b8e38f05f9ed1cfd9fa66ed70cae9

  • SHA512

    8e4098d8ce24c695db968b963cbd3008e067a4b142b78ae709a533ed3b4457afbc14f667e38d60a072d27013e10eef405765864814c57c263fb78b5c55d1af00

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dd01

Decoy

1prostitutki-chelyabinska.com

o2v7c.rest

something-organized.com

etc99.store

perksaccess.contact

consuyt.xyz

dscmodelpapers.com

dana88.lat

dumange.com

pointlomabarreboutique.com

djtmaga.net

dentisttanger.com

17251604.com

dogcatshoponline.com

eppgrandeur.com

jyty3500.com

felixkang.asia

xn--22ck2ci1dl0f7b7h.com

milliesrecruitment.com

www333804000.com

Targets

    • Target

      BL1+2 DRAFT.cmd

    • Size

      6KB

    • MD5

      258ffbda1b464ed86e65e5ae803f96d2

    • SHA1

      d338e8f630c6839ff7f832605ec2aa3c78d4e865

    • SHA256

      3e8bac2f692d7ec30b435f1555ed080ca79aa191fcf9f32dad8658243d3fcebe

    • SHA512

      2fa183c88815f293fb3a5b5a03977250dcd6ac72c586d7028677d1137cd6b20f92adfb76880886319b57fe496c6c146c4e5c30f4e7104647e89a5be976683bd5

    • SSDEEP

      192:T6Ix3c1+Dt0yCSKUQC7f7C5mUGBxgxvxC:T6xnXK76mxBuC

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Guloader,Cloudeye

      A shellcode based downloader first seen in 2020.

    • Formbook payload

    • Adds policy Run key to start application

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks