General

  • Target

    e7fc9e51d81f4b40dca80a3d83ca54a03120566b6dd6f76e0299546ac178f633.exe

  • Size

    731KB

  • Sample

    241109-ejbxpaxbqh

  • MD5

    b13f89d8eafc3a90742bb8fe102e4225

  • SHA1

    8c0a430ea82da3282be9c2dc2011c0d1b4a3cc2b

  • SHA256

    e7fc9e51d81f4b40dca80a3d83ca54a03120566b6dd6f76e0299546ac178f633

  • SHA512

    85d98bc784bce0cbf5d7264e44b89d1a72c7892aeb9defbe622f7844479d9dcd06d2679e7ec0e2f8691af334dfdbb17540ffb55f24e2f06b8ecb9f53b5f13e13

  • SSDEEP

    12288:53O+0J9NQxftcBfz6wzGxGOuyNwuhzKm+gATKkwpf8Z0l14r7N5:JqJvQxFu76eGEnymcATXwpfGj7N

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc01

Decoy

epatitis-treatment-26155.bond

52cy67sk.bond

nline-degree-6987776.world

ingxingdiandeng-2033.top

mberbreeze.cyou

48xc300mw.autos

obs-for-seniors-39582.bond

tpetersburg-3-tonn.online

egafon-parser.online

172jh.shop

ltraman.pro

bqfhnys.shop

ntercash24-cad.homes

uhtwister.cloud

alk-in-tubs-27353.bond

ucas-saaad.buzz

oko.events

8080713.xyz

refabricated-homes-74404.bond

inaa.boo

Targets

    • Target

      e7fc9e51d81f4b40dca80a3d83ca54a03120566b6dd6f76e0299546ac178f633.exe

    • Size

      731KB

    • MD5

      b13f89d8eafc3a90742bb8fe102e4225

    • SHA1

      8c0a430ea82da3282be9c2dc2011c0d1b4a3cc2b

    • SHA256

      e7fc9e51d81f4b40dca80a3d83ca54a03120566b6dd6f76e0299546ac178f633

    • SHA512

      85d98bc784bce0cbf5d7264e44b89d1a72c7892aeb9defbe622f7844479d9dcd06d2679e7ec0e2f8691af334dfdbb17540ffb55f24e2f06b8ecb9f53b5f13e13

    • SSDEEP

      12288:53O+0J9NQxftcBfz6wzGxGOuyNwuhzKm+gATKkwpf8Z0l14r7N5:JqJvQxFu76eGEnymcATXwpfGj7N

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks