Overview

overview

10

Static

static

3

INV-7182234 PDF.exe

windows7-x64

10

INV-7182234 PDF.exe

windows10-2004-x64

10

Purchase o...an.lnk

windows7-x64

6

Purchase o...an.lnk

windows10-2004-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_8af31cc4f0936dcb289eb4474a4c14b05d6f62407e08964b293d3c3a3441d556

  • Size

    667KB

  • Sample

    241229-f6cceatnhv

  • MD5

    321a97cc27239cc54aac2760196a7ccc

  • SHA1

    f4a3cbfb28db41dedc88183166817bed3357850a

  • SHA256

    8af31cc4f0936dcb289eb4474a4c14b05d6f62407e08964b293d3c3a3441d556

  • SHA512

    ffb6d7a7252e523331ea6738414798a61aef6cae925b842a04284dc129fc6446e828518e58c7e44bd90f082a69afaa64954b44a667f3550c51a4a9f82569190e

  • SSDEEP

    12288:AsroJSSqxUoJFpo0V2Q0vGhiiFJj1Hznt3Rc/uwiHa26dNljzmwAFOb5cg2n:jroUtpobQ0IiajRDt3SViHzcNljpplcf

Score
10/10
formbookgc9discoveryexecutionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gc9

Decoy

mahiroglunakliyat.xyz

zhonghemao.com

luxunwrapped.store

dchealthsolutions.com

smoothcupofjoe.com

lavmeantikuman.com

tryvlviscal.com

barefootwildbakery.com

anticoronapreventionshop.com

transactionreview.info

pierdapesoyganeplata.com

stella-tgsei-df-01.com

jagarnat.com

dadadongy.asia

streamload.xyz

lehighvalleytubing.com

happywife101.com

bitcominformatics.com

profxbenefits.com

djskitchenevents.com

Targets

    • Target

      INV-7182234 PDF.exe

    • Size

      713KB

    • MD5

      62ff7b0794ea1490f930958e19d6a26b

    • SHA1

      6af133db25d9f2183877f7b094fcda32828b30d3

    • SHA256

      167bf768c164ac7181b18d6ce91cd51f7d3cd40470a8c8f67bb4a8e2bf00b65b

    • SHA512

      4e923724d2890cdaa5f652d5fa12d31713f8e9dca9e18eb07e76c6679b1498c513b86b0f2d81a2a0c1905779f068655c889333252d4ac9714222aee42130d126

    • SSDEEP

      12288:uXqgHEGTXTI86bB7o5qwTW7py12qk4h7zJdpDj2UnrbSmnCFdfZtL/wgGgOUBZqQ:uXqyE8s7tck6xP2UrbadZtp

    Score
    10/10
    formbookgc9discoveryratspywarestealertrojan

    • Formbook

      Formbook is a data stealing malware which is capable of stealing data.

      trojanspywarestealerformbook

    • Formbook family

      formbook

    • Formbook payload

      rat

    • Deletes itself

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      Purchase order 76353 ALtan.lnk

    • Size

      3KB

    • MD5

      b4595b72f1d67c6062fd286be15aebd4

    • SHA1

      87c2b6d575baa07f4d13a3332c8858983dbc3284

    • SHA256

      55756cbf17c39876ec3bb2ca836ea9b55741622aafd3237d9ef2e971502d0d29

    • SHA512

      16bd5d57e5e83d3f5f7202744063c6d7c05be69425b6758997c2f53c893d720809fb793639f7dde9451c3c3c1f409de8e3d4ebe0861bfd7740491cf74137a1b9

    Score
    8/10
    execution

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution
    behavioral3behavioral4

MITRE ATT&CK Enterprise v15

Tasks