General
-
Target
E-dekont.pdf.exe
-
Size
753KB
-
Sample
241009-mz4lmssdnq
-
MD5
0a2d4c92a9fcf85e1a8a9083cddd13e5
-
SHA1
022af44b15b363305ce6dd59c4d91b915c6e827f
-
SHA256
bcdb8d2083ae1e7cdf5894bfcf411cdc5e39059971c545e7485544d55c391418
-
SHA512
c36aa65978c8cb7a735de75da82385c50322ef28d737247aebb329ebd3ab522c2464278bd19b23314c872536f269d3d1e7c092171ecabcf1a4d0498062490a28
-
SSDEEP
12288:zTLdI7cVxnScO5GLOftnkqXGNLou7DstwZelvE7pCmNS8T9VC0ymE:nhI74xnpO5GLOfyqXCLR71eu7pCmNS8G
Malware Config
Extracted
formbook
4.1
m10i
rmani.today
ifebork.xyz
randovation.net
itchen-remodeling-65686.bond
himu.world
reverie.net
9038.top
rowahome.live
obility-scooters-63189.bond
iangchunqiu.top
yhd.fun
eniorsforseniors.biz
z9zs2.shop
kkjinni.buzz
22av373vu.autos
allnyy.fun
qst.digital
rcap.info
745.top
earfulabjectshirkwashclothe.cfd
Targets
-
-
Target
E-dekont.pdf.exe
-
Size
753KB
-
MD5
0a2d4c92a9fcf85e1a8a9083cddd13e5
-
SHA1
022af44b15b363305ce6dd59c4d91b915c6e827f
-
SHA256
bcdb8d2083ae1e7cdf5894bfcf411cdc5e39059971c545e7485544d55c391418
-
SHA512
c36aa65978c8cb7a735de75da82385c50322ef28d737247aebb329ebd3ab522c2464278bd19b23314c872536f269d3d1e7c092171ecabcf1a4d0498062490a28
-
SSDEEP
12288:zTLdI7cVxnScO5GLOftnkqXGNLou7DstwZelvE7pCmNS8T9VC0ymE:nhI74xnpO5GLOfyqXCLR71eu7pCmNS8G
Score10/10-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Suspicious use of SetThreadContext
-