General

  • Target

    39311b433f6276e149337d9a2dc1ab00N.exe

  • Size

    628KB

  • Sample

    240718-avjz8awgrk

  • MD5

    39311b433f6276e149337d9a2dc1ab00

  • SHA1

    fae8205b2a25d3d3b904352d30b9f986a2e5d653

  • SHA256

    a6c0617a5675430db1e325776159f156c4fba0a6592f87bd4145a614a2163b73

  • SHA512

    ddc3672e209d65221ccdc6ac1a58c4a8d8aea29b617061dd8813f5502547e6de06cdf6dd07e48aa28e3333147bd439dcb33633c97944f3b634f0650209e524cc

  • SSDEEP

    12288:D+Wx2PQfLfEpCv8IFaCvSi07zUQSx2kKpv3YJix+JMmJkm:TwMrYQaCvSHn1tv3Y48Nd

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pz12

Decoy

paucanyes.com

autonwheels.com

cowboysandcaviarbar.com

fitnessengineeredworkouts.com

nuevobajonfavorito.com

dflx8.com

rothability.com

sxybet88.com

onesource.live

brenjitu1904.com

airdrop-zero1labs.com

guangdongqiangzhetc.com

apartments-for-rent-72254.bond

ombak99.lol

qqfoodsolutions.com

kyyzz.com

thepicklematch.com

ainth.com

missorris.com

gabbygomez.com

Targets

    • Target

      39311b433f6276e149337d9a2dc1ab00N.exe

    • Size

      628KB

    • MD5

      39311b433f6276e149337d9a2dc1ab00

    • SHA1

      fae8205b2a25d3d3b904352d30b9f986a2e5d653

    • SHA256

      a6c0617a5675430db1e325776159f156c4fba0a6592f87bd4145a614a2163b73

    • SHA512

      ddc3672e209d65221ccdc6ac1a58c4a8d8aea29b617061dd8813f5502547e6de06cdf6dd07e48aa28e3333147bd439dcb33633c97944f3b634f0650209e524cc

    • SSDEEP

      12288:D+Wx2PQfLfEpCv8IFaCvSi07zUQSx2kKpv3YJix+JMmJkm:TwMrYQaCvSHn1tv3Y48Nd

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks