General

  • Target

    Swift Copy.bin

  • Size

    766KB

  • Sample

    241215-ywapyavpex

  • MD5

    8f5b567178dc84b182b9bef20d1ba3fd

  • SHA1

    c9e63301ec2c68f8d1a087678d6947eb0f94ff71

  • SHA256

    421f027f55c2899348146d6ef602fb6aaa2376c2479406a720f21f5af672d4ae

  • SHA512

    2295886a0d77655ed8c897668a7d148003a53a32885277e92fd4261b90f2465b358f1f150335c8a70ac5fc2ec5f8a5fc0a8c5e6b1324eab2f94a44dfff06c0cb

  • SSDEEP

    12288:lCMKhM39TXsTAiN81mLdCc6VbSogpA7beNEyDBcmpb7I1i5pSTTXnVluolN3l1:oMaci4OARRgeHeHBZ98i5CVlugN3

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ct27

Decoy

arehouse-inventory-22552.bond

lead.today

utomation-tools-36376.bond

uizdabarbie.shop

yedzio.xyz

riffinfamily.fun

lashsmm.store

estlumpia.shop

aki777id.best

ilmach.net

ome-care-25437.bond

i404.net

jacp.bid

he-broker.net

quick.biz

ynacloud.xyz

harmant-g.online

f85to5a2x.cyou

pdgkt.bid

at-removal-near-me-103.xyz

Targets

    • Target

      Swift Copy.bin

    • Size

      766KB

    • MD5

      8f5b567178dc84b182b9bef20d1ba3fd

    • SHA1

      c9e63301ec2c68f8d1a087678d6947eb0f94ff71

    • SHA256

      421f027f55c2899348146d6ef602fb6aaa2376c2479406a720f21f5af672d4ae

    • SHA512

      2295886a0d77655ed8c897668a7d148003a53a32885277e92fd4261b90f2465b358f1f150335c8a70ac5fc2ec5f8a5fc0a8c5e6b1324eab2f94a44dfff06c0cb

    • SSDEEP

      12288:lCMKhM39TXsTAiN81mLdCc6VbSogpA7beNEyDBcmpb7I1i5pSTTXnVluolN3l1:oMaci4OARRgeHeHBZ98i5CVlugN3

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

    • Formbook family

    • Formbook payload

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks