General

  • Target

    64a8f5c2209bf86e1aa4489fffa5cf93aee6955b0106909345a313de38ad7885.exe

  • Size

    712KB

  • Sample

    241213-c1xvdawkat

  • MD5

    6cfdfa1de0f031646ee75bde799cb877

  • SHA1

    6da4c76342858daf1c4e55d537ebfe8b846b87b1

  • SHA256

    64a8f5c2209bf86e1aa4489fffa5cf93aee6955b0106909345a313de38ad7885

  • SHA512

    77acb0a4e390c687d5e4c70c9c4b2f4c6b3e01cd53faf61e3d3e760f126c843ec3a51321d5110796891d0409c3eddbae6cf8653e31c19a77d3f411914ccce72d

  • SSDEEP

    12288:nX5Xt1wWT9YeNqKXO0WTmPUIBdL23sUk/d6nifUmyyDdU/wxSc1GFVeDB:hT9YKXO0fbf16nicsWoxS

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc01

Decoy

epatitis-treatment-26155.bond

52cy67sk.bond

nline-degree-6987776.world

ingxingdiandeng-2033.top

mberbreeze.cyou

48xc300mw.autos

obs-for-seniors-39582.bond

tpetersburg-3-tonn.online

egafon-parser.online

172jh.shop

ltraman.pro

bqfhnys.shop

ntercash24-cad.homes

uhtwister.cloud

alk-in-tubs-27353.bond

ucas-saaad.buzz

oko.events

8080713.xyz

refabricated-homes-74404.bond

inaa.boo

Targets

    • Target

      64a8f5c2209bf86e1aa4489fffa5cf93aee6955b0106909345a313de38ad7885.exe

    • Size

      712KB

    • MD5

      6cfdfa1de0f031646ee75bde799cb877

    • SHA1

      6da4c76342858daf1c4e55d537ebfe8b846b87b1

    • SHA256

      64a8f5c2209bf86e1aa4489fffa5cf93aee6955b0106909345a313de38ad7885

    • SHA512

      77acb0a4e390c687d5e4c70c9c4b2f4c6b3e01cd53faf61e3d3e760f126c843ec3a51321d5110796891d0409c3eddbae6cf8653e31c19a77d3f411914ccce72d

    • SSDEEP

      12288:nX5Xt1wWT9YeNqKXO0WTmPUIBdL23sUk/d6nifUmyyDdU/wxSc1GFVeDB:hT9YKXO0fbf16nicsWoxS

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks