General

  • Target

    ESW2091H52Y6.gz

  • Size

    587KB

  • Sample

    240717-t3q82ssema

  • MD5

    3a836b29854421f24954fdfa776aa01e

  • SHA1

    f199cc055e9a96f8f048f6eb69b5e4766a312f95

  • SHA256

    5550ba206748ee9f180a6a868ebd342ead8432b7cfecf0c02f37da86f913fe2a

  • SHA512

    f59f75e87804c4a6b3eecd97746dc201b15209b108b7bd7977210f12df513bc37151a960f2c8d3ba9b0d32c3c61c6bfc3d49428c7c28097ab48d95dfa49601b1

  • SSDEEP

    12288:LyAauUpRc10sMuIf1GIH+euJDF6uFgSwe4UdmW7TcaqsOU:PaHI108ImVb6uFgSt4U17Tn4U

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

de94

Decoy

way2future.net

worldnewsdailys.online

rendamaisbr.com

s485.icu

vcxwpo.xyz

imagivilleartists.com

herbatyorganics.com

xn--80ado1abokv5d.xn--p1acf

invigoratewell.com

especialistaleitura.online

pkrstg.com

performacaretechnical.com

dreamgame55.net

hkitgugx.xyz

istanlikbilgiler.click

slotter99j.vip

exploringtheoutdoors.net

triberoots.com

energiaslotsbet.com

dkforcm.com

Targets

    • Target

      ESW2091H52Y6.vbe

    • Size

      4.7MB

    • MD5

      6d933e921beffff0992ccdb64bbfa968

    • SHA1

      24149345e79200dc21fb6d853e62d7e9ceaf605c

    • SHA256

      1d204cb5dccb45236e756ff1d5e1605ab30b67948a40af27c195b6d4f2e5a2ae

    • SHA512

      9b8ea5fe63f9e3ae856bdf437bb18f94d923d2674f6d085d65a8d3cf95b58ff10fee530e7ed290fd87995e3c4ea7562334e7c9f2d48736410bd20f168272d4b4

    • SSDEEP

      12288:sk+zeB3lLnyTHm63p8P+RQf77puZL0Sfr3ucJ6q53mxmaQEd1wZ4mjBRclC:skbhAFDu7pjSfaI52xmX4mjBRB

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Adds policy Run key to start application

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks