General
-
Target
RFQ2403.exe
-
Size
589KB
-
Sample
240925-a7e7ssvdqq
-
MD5
23f2b134d5b7bce69858d4fe46e70aa2
-
SHA1
90f75b12b19e4dddab93fedb2da88bfacaf2344e
-
SHA256
bf7619fa136dc46e5612bdd8635e13618db486f01bb18716713a25b096331d30
-
SHA512
01ce8f2a22f18bda803c65163a9e034ca31c329c5a9c62e7f253fe69afe842e53414b1fc4753994fa4272bd270b58786537d3f16037711e9219dd9da2997e091
-
SSDEEP
12288:uQ8bQb9PnYoAMnmgQqdARAkgnChnt8w/zpTEKPUHL9ZBtrML9dS0DFy:uTIR0MagsgnCht8w/dTEKPU38S0Dc
Malware Config
Extracted
formbook
4.1
g29o
edplanethomes.homes
aimin.club
amacheerguide.online
bcddpza.bond
ediamarketplace.online
ynasty.wine
hengsui.top
ousy.fashion
en-mud.xyz
etcall.tech
harity-50528.bond
iski.world
ikelai6.pro
areemeh.info
eitert-suhre-lengerich.audi
959725vkjdngl559.top
73qp28bu.autos
lassiin.shop
audementalplus.online
3win9.cyou
Targets
-
-
Target
RFQ2403.exe
-
Size
589KB
-
MD5
23f2b134d5b7bce69858d4fe46e70aa2
-
SHA1
90f75b12b19e4dddab93fedb2da88bfacaf2344e
-
SHA256
bf7619fa136dc46e5612bdd8635e13618db486f01bb18716713a25b096331d30
-
SHA512
01ce8f2a22f18bda803c65163a9e034ca31c329c5a9c62e7f253fe69afe842e53414b1fc4753994fa4272bd270b58786537d3f16037711e9219dd9da2997e091
-
SSDEEP
12288:uQ8bQb9PnYoAMnmgQqdARAkgnChnt8w/zpTEKPUHL9ZBtrML9dS0DFy:uTIR0MagsgnCht8w/dTEKPU38S0Dc
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-