General

  • Target

    4ed108b6fefaf7195648ba17ba194f04e8db13cec7e1adeb56ecaafa970f8d21.exe

  • Size

    614KB

  • Sample

    241029-cry13szrdq

  • MD5

    a108109409eab70287eff47e6365ff7c

  • SHA1

    83aaeb34e9410deef1ccaf6762e580821fd6c98f

  • SHA256

    4ed108b6fefaf7195648ba17ba194f04e8db13cec7e1adeb56ecaafa970f8d21

  • SHA512

    2278bd435b8a27f916a25c3bc2c3d496eb497a73aa75e469a9d0f0af01aa9d0c786d3d9eb7832a275fb976e23214ed0cd8e0e5517b103d9c71a6b46a2dfbe43b

  • SSDEEP

    12288:QMfzu2hn2t4ORZ4+w9BF7cdG8ALKxppsCTf9RIQ/RYTLx/O4eq5V:Qsj8WOr8PFj8AokCTfYQ/RYTLx1V

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn13

Decoy

5q53s.top

f9813.top

ysticsmoke.net

ignorysingeysquints.cfd

yncsignature.live

svp-their.xyz

outya.xyz

wlkflwef3sf2wf.top

etterjugfetkaril.cfd

p9eh2s99b5.top

400108iqlnnqi219.top

ynsu-condition.xyz

ndividual-bfiaen.xyz

anceibizamagazine.net

itrussips.live

orkcubefood.xyz

lindsandfurnishings.shop

ajwmid.top

pigramescentfeatous.shop

mbvcv56789.click

Targets

    • Target

      4ed108b6fefaf7195648ba17ba194f04e8db13cec7e1adeb56ecaafa970f8d21.exe

    • Size

      614KB

    • MD5

      a108109409eab70287eff47e6365ff7c

    • SHA1

      83aaeb34e9410deef1ccaf6762e580821fd6c98f

    • SHA256

      4ed108b6fefaf7195648ba17ba194f04e8db13cec7e1adeb56ecaafa970f8d21

    • SHA512

      2278bd435b8a27f916a25c3bc2c3d496eb497a73aa75e469a9d0f0af01aa9d0c786d3d9eb7832a275fb976e23214ed0cd8e0e5517b103d9c71a6b46a2dfbe43b

    • SSDEEP

      12288:QMfzu2hn2t4ORZ4+w9BF7cdG8ALKxppsCTf9RIQ/RYTLx/O4eq5V:Qsj8WOr8PFj8AokCTfYQ/RYTLx1V

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks