General

  • Target

    11072024_1644_11072024_Potvrda.tar

  • Size

    744KB

  • Sample

    240711-t86wpaxfpg

  • MD5

    349d052bb22604a4989400189270a811

  • SHA1

    942c14058419b3e9c78cc021e1daecf81d7ef7e0

  • SHA256

    841657ec7ffc08e110f6d4cc36b785d632bc502f12a94e6753570c75ab6b6aff

  • SHA512

    6aa12aee80fd9a6580bb1b33a2724f8bc180dabf1c9e832f9a2fef99c9be6fe6ec3f622ebd321b76e30993ddbd2d9af32c8cd7714d4454bae3c1feecfbe611e6

  • SSDEEP

    12288:c/Riizf8iXiDrItWC6K6jYuVsD5x+1eyOEjLQ2N55Ob5PSOL8qOWo5idI93cC31T:UR3T+guK6LVsD5XsN55O8OxOWa0IVcCd

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn03

Decoy

almouranipainting.com

cataloguia.shop

zaparielectric.com

whcqsc.com

ioco.in

aduredmond.com

vavada611a.fun

humtivers.com

jewellerytml.com

mcapitalparticipacoes.com

inhlcq.shop

solanamall.xyz

moviepropgroup.com

thegenesis.ltd

cyberxdefend.com

skinbykoco.com

entermintlead.com

honestaireviews.com

wyclhj7gqfustzp.buzz

w937xb.com

Targets

    • Target

      Potvrda.cmd

    • Size

      1.0MB

    • MD5

      c9ad0db8c48595796320909adcf7a303

    • SHA1

      a9a21e3819907bba8fc0661e84fe0a7e49b4905c

    • SHA256

      909903adda36dcfc103a5260990c7ca1f47b4644672f2d94446c7e6e86f25a35

    • SHA512

      cdb375e941627757cc78f4bb1b7360b8512c4f0f3a145203b5807f7027d4a952f129f4a6367e7cbd9e0bd3613bd573eafb17e6967beb36e1039f99cb20f05f4f

    • SSDEEP

      24576:3r+gYZO1+u+KAgevoPUENFs0Y09Ea9P+Ex4yE:QRnyHp9O

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks