General

  • Target

    SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe

  • Size

    691KB

  • Sample

    240715-g52rcavfmh

  • MD5

    c2ae4fdb661a151be4876289ed7f8261

  • SHA1

    f8fbb8b8ddb55aacc20449ff2bd5d671e4cbb9fa

  • SHA256

    d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0

  • SHA512

    2642eac12e6a42fbd503621871802da278e0c68a4678675ddbe71f66d7a2b7d0ed8a22640c13d153ea63bcb33f7f13ae32eaa3e444fc451c64a1839d8cc91c89

  • SSDEEP

    12288:luCDWx2PQfnESfZ0nl+xD4u1JW31MlxwXY5oMY3tQMmVHMe3+L4Ull0l8fkR:/awMnESR0nl+Z9OSXwXuoaVse3+sCie6

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

45er

Decoy

depotpulsa.com

k2bilbao.online

bb4uoficial.com

rwc666.club

us-pservice.cyou

tricegottreats.com

zsystems.pro

qudouyin6.com

sfumaturedamore.net

pcetyy.icu

notbokin.online

beqprod.tech

flipbuilding.com

errormitigationzoo.com

zj5u603.xyz

jezzatravel.com

zmdniavysyi.shop

quinnsteele.com

522334.com

outdoorshopping.net

Targets

    • Target

      SecuriteInfo.com.Win32.PWSX-gen.13937.11977.exe

    • Size

      691KB

    • MD5

      c2ae4fdb661a151be4876289ed7f8261

    • SHA1

      f8fbb8b8ddb55aacc20449ff2bd5d671e4cbb9fa

    • SHA256

      d58780d1d574bfe77c6f9cfad1cf4b51522231b2699081befd5bbd15f7309aa0

    • SHA512

      2642eac12e6a42fbd503621871802da278e0c68a4678675ddbe71f66d7a2b7d0ed8a22640c13d153ea63bcb33f7f13ae32eaa3e444fc451c64a1839d8cc91c89

    • SSDEEP

      12288:luCDWx2PQfnESfZ0nl+xD4u1JW31MlxwXY5oMY3tQMmVHMe3+L4Ull0l8fkR:/awMnESR0nl+Z9OSXwXuoaVse3+sCie6

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks