General
-
Target
QUOTATION.7Z
-
Size
545KB
-
Sample
240926-crm9ksvclh
-
MD5
708be7f03edd080b3413a059d5921351
-
SHA1
750cbc177094d4a318c0bee301b752b54a0825bd
-
SHA256
762bc2a55e45ce9545e3463608736fcdb4ced03d3c56ca23467f1ff00d1d54a1
-
SHA512
26b148951f0d210432073c43727ed33ab5a3dd6639ee1d9091f621a507b9f38d38a79cf58d67799775d8c28fd2d7542b4f7be5b03f338cb0962676c8d8447348
-
SSDEEP
6144:iSydphHfO0/tVbcmmcDyjBJztCndNxlOFyQJVlcg3jPXRvoSo+Sl6ktjYsDl8Ck8:kdDHdcm9yzt6NxEFBLzPSh+7W8K4S
Malware Config
Extracted
formbook
4.1
t94g
32188.top
mergencyroofrepair656460.online
jkahu.fun
ur4.autos
r0lba4cl0qkaws8.bond
eiliaowang.top
urjav.xyz
kidaman15.click
old-removal-p350.today
levatethismedia.info
h33323s40.top
dormy.click
5406.club
earlofwisdombook.pro
6980.app
ellwood999.biz
otdates.lol
164v.shop
thereal.app
takeget.online
Targets
-
-
Target
QUOTATION.exe
-
Size
597KB
-
MD5
5ef5a1d3d29621fddc9bdc633da0a90d
-
SHA1
83addd1df3377f9e3e7ba76912c5ac1a573a522a
-
SHA256
dea7a268c93cf1c1298d1b9afeff6e7a6bc1a4798f2f237b3e1094fde2fd3f9c
-
SHA512
f6c61a0f6eef46300e4de98336afc81d699ce0a4ac8c367eba661efc2acd77c4e45495f59474c20b177269b27a7acce085c11794fcb881f944fae6af85aa9426
-
SSDEEP
12288:/GxOSlVNuFIpZBMWcus9XstaCb2Qw8bQbK:hSDqIpbMWcV9XoNSQzIK
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-