General

  • Target

    z73RFQREF-JTCAJ.exe

  • Size

    681KB

  • Sample

    241029-jydr2sxckd

  • MD5

    580d52f93549b085b8061f3e699eef17

  • SHA1

    9e9acbdb7fd7b1ded9d18a8aeee40355a2ec7790

  • SHA256

    53ef40005eacaaf2c37175d6f38dfa8d9efe91d4513dc545cd7176924d9e64ef

  • SHA512

    fe08643b09d4ddd0f6125a7e89a8204a94618238444a4a7339b26a82041af06a170bc1c47e685ec71307891118bf15bc9d43a9b7b12a878de2f72c263cc3f382

  • SSDEEP

    12288:8+YLrsVU2hHe8rolfBemE4uNfwY5a+uT5naPRTiLD:JD+8EAmX0Va+A5a5TiL

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cd36

Decoy

hongrobert.top

msurmis.online

tormdamageroof.net

riglashenie-svadby.store

otorcycle-loans-84331.bond

ouriptv.info

eportingcfo.top

2019.vip

ysphoto.online

hrivegorevx.info

350yhc.top

mwakop.xyz

antan4d-amp.xyz

pc-marketing-95267.bond

cuway.tours

inshiaward.top

akuzainu.fun

scenario.live

arrowlaboratorio.shop

nline-gaming-13926.bond

Targets

    • Target

      z73RFQREF-JTCAJ.exe

    • Size

      681KB

    • MD5

      580d52f93549b085b8061f3e699eef17

    • SHA1

      9e9acbdb7fd7b1ded9d18a8aeee40355a2ec7790

    • SHA256

      53ef40005eacaaf2c37175d6f38dfa8d9efe91d4513dc545cd7176924d9e64ef

    • SHA512

      fe08643b09d4ddd0f6125a7e89a8204a94618238444a4a7339b26a82041af06a170bc1c47e685ec71307891118bf15bc9d43a9b7b12a878de2f72c263cc3f382

    • SSDEEP

      12288:8+YLrsVU2hHe8rolfBemE4uNfwY5a+uT5naPRTiLD:JD+8EAmX0Va+A5a5TiL

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks