General

  • Target

    Material data sheets Bill of Quantity Steel pipes and chemicals KM C654e21011710050.exe

  • Size

    615KB

  • Sample

    240719-jgdqqasgmg

  • MD5

    479e510cedc2482cd77a1845a131c86e

  • SHA1

    088b0dbae462a714ff459356509e59954913a13d

  • SHA256

    f5368436685277dd73f2ad2fe3be473fd4ab4f5c6691c1075eda750e8bfbcdb9

  • SHA512

    94ae751431916f79bd6efe199cef33542d45701216892a30ab6e8a68fcf5bd74b54b4adee4359d8b15633e18aad8984771145a7e52da3469fddedff6fc4b9997

  • SSDEEP

    12288:eiN882Buk9wq5VM4AsGWn1RS+KH6xD/hSLfgQqJvmbDCiN:eu2BugDVesdn1RS+K4VefgtmbG

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pz12

Decoy

paucanyes.com

autonwheels.com

cowboysandcaviarbar.com

fitnessengineeredworkouts.com

nuevobajonfavorito.com

dflx8.com

rothability.com

sxybet88.com

onesource.live

brenjitu1904.com

airdrop-zero1labs.com

guangdongqiangzhetc.com

apartments-for-rent-72254.bond

ombak99.lol

qqfoodsolutions.com

kyyzz.com

thepicklematch.com

ainth.com

missorris.com

gabbygomez.com

Targets

    • Target

      Material data sheets Bill of Quantity Steel pipes and chemicals KM C654e21011710050.exe

    • Size

      615KB

    • MD5

      479e510cedc2482cd77a1845a131c86e

    • SHA1

      088b0dbae462a714ff459356509e59954913a13d

    • SHA256

      f5368436685277dd73f2ad2fe3be473fd4ab4f5c6691c1075eda750e8bfbcdb9

    • SHA512

      94ae751431916f79bd6efe199cef33542d45701216892a30ab6e8a68fcf5bd74b54b4adee4359d8b15633e18aad8984771145a7e52da3469fddedff6fc4b9997

    • SSDEEP

      12288:eiN882Buk9wq5VM4AsGWn1RS+KH6xD/hSLfgQqJvmbDCiN:eu2BugDVesdn1RS+K4VefgtmbG

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks