General

  • Target

    6887db1f6c75ae73f95dc1e8b7ba45f0N.exe

  • Size

    700KB

  • Sample

    240713-jf93jathne

  • MD5

    6887db1f6c75ae73f95dc1e8b7ba45f0

  • SHA1

    a6eae243627dd243dfc1ba7d8ecb0db32d2b04e0

  • SHA256

    e1153fa8e128ce45bc1fd82c073aa9724653ae65a621f7accf41a7b4ea542906

  • SHA512

    8ce6ac3dd86793027a12f48f451d141d809b0c757177e60aedfef2d8e57ae12f039035f43e45696e059edffe4edf7f10e42a53f1b796f7740f23483399984fad

  • SSDEEP

    12288:GVkFuwcbZzHNoW1XMn+oCUufZv7ftOwz3geqeDWSmb6+Sg:hZAZzHNoW1O+oWZv7frzwvTb6+Sg

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

h209

Decoy

sbtstuff.site

omlyes.com

movershifting.com

gearballer.com

oketoto.pro

myringleader.com

lrcjc750s.xyz

ata2024.xyz

password-manager-89409.bond

aiassistanthub.net

changvolt.cfd

netino.site

wear-wale.com

omnipresenceagency.com

huangguan.ooo

propersonnelmedia.com

9332952.com

k3s.support

ciytrw.xyz

cb095.pro

Targets

    • Target

      6887db1f6c75ae73f95dc1e8b7ba45f0N.exe

    • Size

      700KB

    • MD5

      6887db1f6c75ae73f95dc1e8b7ba45f0

    • SHA1

      a6eae243627dd243dfc1ba7d8ecb0db32d2b04e0

    • SHA256

      e1153fa8e128ce45bc1fd82c073aa9724653ae65a621f7accf41a7b4ea542906

    • SHA512

      8ce6ac3dd86793027a12f48f451d141d809b0c757177e60aedfef2d8e57ae12f039035f43e45696e059edffe4edf7f10e42a53f1b796f7740f23483399984fad

    • SSDEEP

      12288:GVkFuwcbZzHNoW1XMn+oCUufZv7ftOwz3geqeDWSmb6+Sg:hZAZzHNoW1O+oWZv7frzwvTb6+Sg

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks