General

  • Target

    MalwareBazaar.16

  • Size

    620KB

  • Sample

    240711-kaxqpazgng

  • MD5

    6f6db1e7da6dcc039ad7a1bb95d153eb

  • SHA1

    4e69bc26c9e11faececb76dfb4876165842a7383

  • SHA256

    8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae

  • SHA512

    0088f6a5cae353de2d418d942b0f16d82883bdd55af64af433f4d10a1b29b044c8892c246fa3cc4b70b364b213be4ec05b4874bcccd316d9d475b52981ff98b6

  • SSDEEP

    12288:eb+YVK+orv7oWukJFoimuR6W5lzi7Cq82cXEC1ki2rpEWdzFTTLyh:V1+jMBmu3zCxcj1kdEcF

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sp26

Decoy

co37.top

00050525.xyz

gucci-official.asia

xb1111.vip

brandignitemarketing.com

smqhr.vip

neuroenergetichealing.com

huskyrecords.com

bt365962.com

sonicmfers.com

bytoi.xyz

52725.xyz

tantargobank.com

quantumsolutionsblr.com

webzlp.xyz

euroelitegear.store

xyffaa.com

pickleballtvchampionship.com

hyrdomist.com

dgaaa.click

Targets

    • Target

      MalwareBazaar.16

    • Size

      620KB

    • MD5

      6f6db1e7da6dcc039ad7a1bb95d153eb

    • SHA1

      4e69bc26c9e11faececb76dfb4876165842a7383

    • SHA256

      8bd0c48813f5c2578c3932b60ef84e4d62f7620f4f7e26d942f9765e2a589eae

    • SHA512

      0088f6a5cae353de2d418d942b0f16d82883bdd55af64af433f4d10a1b29b044c8892c246fa3cc4b70b364b213be4ec05b4874bcccd316d9d475b52981ff98b6

    • SSDEEP

      12288:eb+YVK+orv7oWukJFoimuR6W5lzi7Cq82cXEC1ki2rpEWdzFTTLyh:V1+jMBmu3zCxcj1kdEcF

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks