General
-
Target
RFQ403065852.pdf.bat.exe
-
Size
668KB
-
Sample
240910-hrha8a1dpl
-
MD5
548723a3e99422d6ccf19ae013010e1b
-
SHA1
27e594a6814393331674014791cea927caeaf4a1
-
SHA256
9adb74d4a3e30d322e070b91da3865ae8c7b71dd0f4ebce22538d0ef73a55264
-
SHA512
3042a661121e5bb7fe77af406512ccbf7d745a8291ece023f416803bd6c546420868ed06d0144044e84d2875ab048244b640f9bfeb67d564f4c43105102f0b81
-
SSDEEP
12288:TkcZDcY/I1Y+04N46gUgXdaWzLgT4yOXqthDSRhIiKKKEA1A9/kR:YcBM1gzzXl9RXq32DKKKEGZ
Malware Config
Extracted
formbook
4.1
m49z
ormswarm.xyz
awn-care-63587.bond
uymetanail5.online
mergencyloan007.xyz
545.top
eiliao596.pro
ackersandmoverschennai.net
ehdiahmadvandmusicbest.click
tlgxmb2024.cloud
ulfcoastharborhopper.pro
rohns-disease-early-signs.today
oldenhorizonsbgcl.click
weetindulgencepro.xyz
yexoiup.xyz
yself-solar.net
kfirsatimla.online
bropub3.online
ouljourney.online
usvf76f.shop
onnaberich.online
Targets
-
-
Target
RFQ403065852.pdf.bat.exe
-
Size
668KB
-
MD5
548723a3e99422d6ccf19ae013010e1b
-
SHA1
27e594a6814393331674014791cea927caeaf4a1
-
SHA256
9adb74d4a3e30d322e070b91da3865ae8c7b71dd0f4ebce22538d0ef73a55264
-
SHA512
3042a661121e5bb7fe77af406512ccbf7d745a8291ece023f416803bd6c546420868ed06d0144044e84d2875ab048244b640f9bfeb67d564f4c43105102f0b81
-
SSDEEP
12288:TkcZDcY/I1Y+04N46gUgXdaWzLgT4yOXqthDSRhIiKKKEA1A9/kR:YcBM1gzzXl9RXq32DKKKEGZ
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-