General

  • Target

    RFQREF-JTCAJC-QINHP5-TIS-L0009-ALDHAFRAALJABER-SUPPLY.exe

  • Size

    653KB

  • Sample

    241029-kwqt9svmhp

  • MD5

    28962cf2256813cd85182e59281b8fb8

  • SHA1

    7acfb602f72ae8f129eff2d48b2773a996dadf39

  • SHA256

    736b209eebf951e82c1854a0149aa159f609e6bf202225ba58793108cc26ed33

  • SHA512

    2d19c2c2658df87a5a9a0489d1f91b00abc7c21661420dff0a07c76d88b6fda9565c54e0d7b4a2819fbda0b30678954511fd9c58e1ea3534fc3053ae5fd06aec

  • SSDEEP

    12288:+OrDR3yjNnE8xH1U33/T5nx+sxFbluyY3XSZDoLzZMOwLr9:+4DM7xVUnbxx+s3I3XeASOG

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rp26

Decoy

rn3grmg9.sbs

4644.one

18tbo.com

c9max.shop

8914.loan

eptacore.xyz

ormto.website

vcreative.store

anglaoshi13.buzz

ewa123.bid

vantiverdeoficial.shop

sik89starwin.fun

niquestorebd.xyz

assword-manager-41452.bond

uccessproit.shop

kl1tuvy0.asia

titchinheavenqs.shop

w178.top

errari-mieten-dubai.click

ba-103mu.net

Targets

    • Target

      RFQREF-JTCAJC-QINHP5-TIS-L0009-ALDHAFRAALJABER-SUPPLY.exe

    • Size

      653KB

    • MD5

      28962cf2256813cd85182e59281b8fb8

    • SHA1

      7acfb602f72ae8f129eff2d48b2773a996dadf39

    • SHA256

      736b209eebf951e82c1854a0149aa159f609e6bf202225ba58793108cc26ed33

    • SHA512

      2d19c2c2658df87a5a9a0489d1f91b00abc7c21661420dff0a07c76d88b6fda9565c54e0d7b4a2819fbda0b30678954511fd9c58e1ea3534fc3053ae5fd06aec

    • SSDEEP

      12288:+OrDR3yjNnE8xH1U33/T5nx+sxFbluyY3XSZDoLzZMOwLr9:+4DM7xVUnbxx+s3I3XeASOG

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks