General

  • Target

    af105b0005d288b893447ca4ca282d296060c3b5bca44153dfb461b0fa24d78b

  • Size

    792KB

  • Sample

    241029-af74haykes

  • MD5

    3092b09cfc84fcf35dfa6fe099922335

  • SHA1

    4dca04684461b5f0ed95567b2ce660136420fc91

  • SHA256

    af105b0005d288b893447ca4ca282d296060c3b5bca44153dfb461b0fa24d78b

  • SHA512

    ad96cd10c1a64ef47cc7fba58a306209ce844a864e68321c76603fa108aff6a8d66d19c505be3fe4b06d7a887ac4dfdff03bfa8cecaffbd1c7d431b2752474a3

  • SSDEEP

    12288:Bhjo3cU9+noevwEbdlEL7AGrZdTMG8c68Db5qhe5DdPaFDLTZ8NYjyndWx:DjosU9Eoej8HrTr8TibYhEdPATZ8zI

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn13

Decoy

5q53s.top

f9813.top

ysticsmoke.net

ignorysingeysquints.cfd

yncsignature.live

svp-their.xyz

outya.xyz

wlkflwef3sf2wf.top

etterjugfetkaril.cfd

p9eh2s99b5.top

400108iqlnnqi219.top

ynsu-condition.xyz

ndividual-bfiaen.xyz

anceibizamagazine.net

itrussips.live

orkcubefood.xyz

lindsandfurnishings.shop

ajwmid.top

pigramescentfeatous.shop

mbvcv56789.click

Targets

    • Target

      af105b0005d288b893447ca4ca282d296060c3b5bca44153dfb461b0fa24d78b

    • Size

      792KB

    • MD5

      3092b09cfc84fcf35dfa6fe099922335

    • SHA1

      4dca04684461b5f0ed95567b2ce660136420fc91

    • SHA256

      af105b0005d288b893447ca4ca282d296060c3b5bca44153dfb461b0fa24d78b

    • SHA512

      ad96cd10c1a64ef47cc7fba58a306209ce844a864e68321c76603fa108aff6a8d66d19c505be3fe4b06d7a887ac4dfdff03bfa8cecaffbd1c7d431b2752474a3

    • SSDEEP

      12288:Bhjo3cU9+noevwEbdlEL7AGrZdTMG8c68Db5qhe5DdPaFDLTZ8NYjyndWx:DjosU9Eoej8HrTr8TibYhEdPATZ8zI

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks