General

  • Target

    19072024_0433_18072024_Orden de Compra No.451566.zip

  • Size

    553KB

  • Sample

    240719-e6wwdawdmh

  • MD5

    8fede3e39b6e6f4caac072524093c883

  • SHA1

    111837b54281314b6d550099254e6cdff43a2d44

  • SHA256

    b02bc61d13e0b6b4095ab910ac991d4985fd8bcc283b24ac59a438b049052fc6

  • SHA512

    70019b871fc63aa162f2e19fe8cae29a123ed5bb2126f7b718833830f171f9b573fa24c881721ae198c0a9686c726dafd89560138cfc069e0755050489ecf3b5

  • SSDEEP

    12288:PiYpM/QP+/jGOrq3kdjZmazmDwG8KIwJX2hdOAQJGChK277WIgCAhDcNrN:PiYpM/Q2/jGLkdjnnGlCwJG92HVgCAhM

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy15

Decoy

yb40w.top

286live.com

poozonlife.com

availableweedsonline.com

22926839.com

petlovepet.fun

halbaexpress.com

newswingbd.com

discountdesh.com

jwoalhbn.xyz

dandevonald.com

incrediblyxb.christmas

ailia.pro

ga3ki3.com

99812.photos

richiecom.net

ummahskills.online

peakleyva.store

a1cbloodtest.com

insurancebygarry.com

Targets

    • Target

      Orden de Compra No.451566.exe

    • Size

      3.1MB

    • MD5

      17edb39cd907d5809f6a6ea3eff326b2

    • SHA1

      24f9c1e37ff3a6a360ebaea8dcc5d36dc6e75d0f

    • SHA256

      b819347078fa3ef6b874c0f8acbd32e0d153442ce42be82496ad15ae4dab5a59

    • SHA512

      3adfbd764089041067baa0ac31410971127c4d2033cefc87bf01fc20af8bfccb61d3af4add05921df1057a89b7493993ecaebed533847df62feb3c2e92ee9f5d

    • SSDEEP

      12288:Wd2QJ+r9SExqlYdjzKQpQD6okMI4JX2x1MyYJGCV02v3Sm08AhrcNC:U2Q4r9SjYdj3FoLOyJG/2/B08AhrcNC

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • UAC bypass

    • Windows security bypass

    • Formbook payload

    • Adds policy Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Windows security modification

    • Checks whether UAC is enabled

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks