General

  • Target

    9d8bba178d59f8e1a7bbf2d793b30c58.exe

  • Size

    1.6MB

  • Sample

    240712-n2xfsascpk

  • MD5

    9d8bba178d59f8e1a7bbf2d793b30c58

  • SHA1

    fcd9ddb47e8faac52d5f9450cbe8970d259cd63f

  • SHA256

    2908b204b48c6e54598045bed024df0a256f41d0e53239f5d5606d2be8111c07

  • SHA512

    e4e9223b006a7813ced3cf124ca25db3214929cc03d2b14688ba23f5b34949f4f156d646b5eb2f5d75ac17d526537b699f844bccdd19baa205a36de5b1d449b8

  • SSDEEP

    12288:TNLnJocGYWkX35QDuPSzBzsFXFIntvrP9zVYL/EyN7T20:JLnrNWkXo1BzsdeFxzS4ydi0

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Targets

    • Target

      9d8bba178d59f8e1a7bbf2d793b30c58.exe

    • Size

      1.6MB

    • MD5

      9d8bba178d59f8e1a7bbf2d793b30c58

    • SHA1

      fcd9ddb47e8faac52d5f9450cbe8970d259cd63f

    • SHA256

      2908b204b48c6e54598045bed024df0a256f41d0e53239f5d5606d2be8111c07

    • SHA512

      e4e9223b006a7813ced3cf124ca25db3214929cc03d2b14688ba23f5b34949f4f156d646b5eb2f5d75ac17d526537b699f844bccdd19baa205a36de5b1d449b8

    • SSDEEP

      12288:TNLnJocGYWkX35QDuPSzBzsFXFIntvrP9zVYL/EyN7T20:JLnrNWkXo1BzsdeFxzS4ydi0

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • UAC bypass

    • Windows security bypass

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks