General

  • Target

    3dd9da5f91ea1de269504d905252059371eafacb8b71b3bc0ac2c38a16db709a.exe

  • Size

    626KB

  • Sample

    240720-lfbabawcnj

  • MD5

    b6afc271ea1a05bafb1caef148175262

  • SHA1

    8436e8dbdbf690b6163f5a9b58b3fe1b3516281b

  • SHA256

    3dd9da5f91ea1de269504d905252059371eafacb8b71b3bc0ac2c38a16db709a

  • SHA512

    4070ebf15459a49aa1d66ceb9e052ea3aca287a39485b759b38f8efdd28f693bdd3b8dcf2f950323d90bb3c1756f96e1667920fa90e583cf6b8abfe352e12296

  • SSDEEP

    12288:hxiN882BGzZAb44UVDE5CBqxSjHDhMA+e3Xp3NTWFUtg4X/aU+CIZXLcvKbiN:zu2BOEUu57SrDhIIXpdTj+U+CcbAY

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pz12

Decoy

paucanyes.com

autonwheels.com

cowboysandcaviarbar.com

fitnessengineeredworkouts.com

nuevobajonfavorito.com

dflx8.com

rothability.com

sxybet88.com

onesource.live

brenjitu1904.com

airdrop-zero1labs.com

guangdongqiangzhetc.com

apartments-for-rent-72254.bond

ombak99.lol

qqfoodsolutions.com

kyyzz.com

thepicklematch.com

ainth.com

missorris.com

gabbygomez.com

Targets

    • Target

      3dd9da5f91ea1de269504d905252059371eafacb8b71b3bc0ac2c38a16db709a.exe

    • Size

      626KB

    • MD5

      b6afc271ea1a05bafb1caef148175262

    • SHA1

      8436e8dbdbf690b6163f5a9b58b3fe1b3516281b

    • SHA256

      3dd9da5f91ea1de269504d905252059371eafacb8b71b3bc0ac2c38a16db709a

    • SHA512

      4070ebf15459a49aa1d66ceb9e052ea3aca287a39485b759b38f8efdd28f693bdd3b8dcf2f950323d90bb3c1756f96e1667920fa90e583cf6b8abfe352e12296

    • SSDEEP

      12288:hxiN882BGzZAb44UVDE5CBqxSjHDhMA+e3Xp3NTWFUtg4X/aU+CIZXLcvKbiN:zu2BOEUu57SrDhIIXpdTj+U+CcbAY

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks