General

  • Target

    PF234-91224.pdf.rar

  • Size

    578KB

  • Sample

    241209-s3z1hsxmck

  • MD5

    c36f7991cb6e5ac34306815babfadf4c

  • SHA1

    eaaf48d3efb0e2a5b10b988ff6403c5e3ecb5510

  • SHA256

    bdd9e311c550bef90f58fb23c8e3318cc388ac62e756aa0927f91b85a3e75103

  • SHA512

    3345aaaf83f59a8987a54f59fd5bd08c9aafab4e12d0515bed87a523ade727c00c8efca7a17fbad02b4c6959f0dc8e27a0750c9eb10a16c6cda1cebdfefadfa3

  • SSDEEP

    12288:6DD3PNk45FG5sVbC0JUsDAbXgSTxKKpU1HouvyFgww3aclM3sATidw/YQpN6b:clP5FhCWAjNU1X6ewwF+30dwrz6

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mi06

Decoy

rumpchiefofstaff.live

n319.vip

ootybite.fit

tlasfnch.online

arehouse-inventory-22187.bond

nihenjin.net

oftware-engineering-10126.bond

airtransplantation342331.life

astelodosjogos.store

oogle-404.sbs

ealthcare-software-62709.bond

00101.pro

edgo.xyz

ardmanager.xyz

eyixnemy.xyz

lamin.food

utomation-tools-75119.bond

wcp.doctor

ennine-way.info

jslot88rich.xyz

Targets

    • Target

      PF234-91224.pdf.exe

    • Size

      887KB

    • MD5

      0285fed1a8816679555b3ad83d259eec

    • SHA1

      fd36638db0103fe9530cefcc2b612c307bac5462

    • SHA256

      b3f2e166da0892b3ab4d77f3b7764c7d50296fc234a8da7355db5677f090273f

    • SHA512

      72bd8a4e9e0dc6eed172d2c0d1f58dad1dca09915c888604fb382e1aa22ec12f7233a9fcc082a1b7c858555b11f4bce60180c5d658f4b7a33573eaaf5c290f3c

    • SSDEEP

      12288:8rFcvLvKirjTpzk+958lIe9bVAwb7NsriUe67N0d4CeU:oFwC+NgCejfHNoXRU

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks