General

  • Target

    94f858ec5529f4f52ae1bed542d9a38b2ab7e4be0446c4d9252f0de3d7cf2dce.exe

  • Size

    739KB

  • Sample

    241109-dqlvsswepf

  • MD5

    d81b47b60f4ab72d26d70eed50f4b72a

  • SHA1

    16b85b52a3db23ad7f7e297b3d270ed5100f34c7

  • SHA256

    94f858ec5529f4f52ae1bed542d9a38b2ab7e4be0446c4d9252f0de3d7cf2dce

  • SHA512

    8b1480c5ec7f7fd3ee8cbfbb0f446e244b41a08d4568c0fc17894ddc314252a83bedc50ebe815429e737201653273c641becd75416569b999ac1226a937ca996

  • SSDEEP

    12288:AgWVyEsrM2W0RPDGFbSSSAn+MHkTn4PVwD+iEmNg1B/dEmbGqpJ:9WVyEmMH0qkA+MHY4GDZE11RSmNpJ

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc01

Decoy

epatitis-treatment-26155.bond

52cy67sk.bond

nline-degree-6987776.world

ingxingdiandeng-2033.top

mberbreeze.cyou

48xc300mw.autos

obs-for-seniors-39582.bond

tpetersburg-3-tonn.online

egafon-parser.online

172jh.shop

ltraman.pro

bqfhnys.shop

ntercash24-cad.homes

uhtwister.cloud

alk-in-tubs-27353.bond

ucas-saaad.buzz

oko.events

8080713.xyz

refabricated-homes-74404.bond

inaa.boo

Targets

    • Target

      94f858ec5529f4f52ae1bed542d9a38b2ab7e4be0446c4d9252f0de3d7cf2dce.exe

    • Size

      739KB

    • MD5

      d81b47b60f4ab72d26d70eed50f4b72a

    • SHA1

      16b85b52a3db23ad7f7e297b3d270ed5100f34c7

    • SHA256

      94f858ec5529f4f52ae1bed542d9a38b2ab7e4be0446c4d9252f0de3d7cf2dce

    • SHA512

      8b1480c5ec7f7fd3ee8cbfbb0f446e244b41a08d4568c0fc17894ddc314252a83bedc50ebe815429e737201653273c641becd75416569b999ac1226a937ca996

    • SSDEEP

      12288:AgWVyEsrM2W0RPDGFbSSSAn+MHkTn4PVwD+iEmNg1B/dEmbGqpJ:9WVyEmMH0qkA+MHY4GDZE11RSmNpJ

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks