General

  • Target

    3aY3m96tqMSF6uX.exe

  • Size

    713KB

  • Sample

    241214-p3h58atqdr

  • MD5

    e0e2345d91945b57353de7be04535f15

  • SHA1

    2d5ac0274b741d19da82180264f5819ddfd11551

  • SHA256

    863062f983aac165c04b1af4ce761865b4fd734b71de85e0aba00c112febac2b

  • SHA512

    e78122530a09a9b874e5291584ffb4257e34fa1ea3b9f8f1dc54c5fa757de269566e2b07533ae3a7ba6212cd253c399949faaaab8f261ed8952c636d2146cf35

  • SSDEEP

    12288:OC25usx+XtWhK/bACVDNdRBE6teRn6iB6/VN9hogN5AjJeuM5cifib7Qhk:yxg8ClrRa3Rn3BoP/AjO5cK

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ax19

Decoy

nmarklun.biz

eadithere.net

oytromcm.net

6gu536d.shop

hysicsjunction.online

esistivitysensors.net

ealthcare-software-53940.bond

tupid-edsee.cyou

614.lat

agmart.store

lothesthesale.store

ranopen.info

c1v.lat

owflyingbugs.online

undumimmobilien.net

nline-advertising-57252.bond

orktyper.net

kten10.shop

sadeaguia.net

ouseofnormal.party

Targets

    • Target

      3aY3m96tqMSF6uX.exe

    • Size

      713KB

    • MD5

      e0e2345d91945b57353de7be04535f15

    • SHA1

      2d5ac0274b741d19da82180264f5819ddfd11551

    • SHA256

      863062f983aac165c04b1af4ce761865b4fd734b71de85e0aba00c112febac2b

    • SHA512

      e78122530a09a9b874e5291584ffb4257e34fa1ea3b9f8f1dc54c5fa757de269566e2b07533ae3a7ba6212cd253c399949faaaab8f261ed8952c636d2146cf35

    • SSDEEP

      12288:OC25usx+XtWhK/bACVDNdRBE6teRn6iB6/VN9hogN5AjJeuM5cifib7Qhk:yxg8ClrRa3Rn3BoP/AjO5cK

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks